neshta | fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Size

383KB
MD5

22f70db1f27b3553a4942d1b3cbe7275
SHA1

3c6aba77ef2c4f9355a66154cacc8ea514c16c06
SHA256

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec
SHA512

3adb4c03d1dd124f6de7716490733df250397dd59d950d777ca300e8424dcb4d7cecba71e585c1d72780ed9446d0a769bcfd741bfc1052086d9d43e61fc5ba09
SSDEEP

3072:zr8WDrCjXrtbl44nwb+E/UeH+QyJen3nt3fJaiakiO8sd8rKzXetLYruD5fDeFru:PujXM4nntUNfJzeOxXeyro5uu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2880	svchost.com
2220	FD662C~1.EXE
2832	svchost.com
2720	FD662C~1.EXE
2756	svchost.com
2636	FD662C~1.EXE
2652	svchost.com
2668	FD662C~1.EXE
2640	svchost.com
1936	FD662C~1.EXE
748	svchost.com
1252	FD662C~1.EXE
1996	svchost.com
276	FD662C~1.EXE
1912	svchost.com
2932	FD662C~1.EXE
2180	svchost.com
2928	FD662C~1.EXE
1044	svchost.com
1924	FD662C~1.EXE
1268	svchost.com
1536	FD662C~1.EXE
3024	svchost.com
2428	FD662C~1.EXE
560	svchost.com
848	FD662C~1.EXE
2272	svchost.com
1556	FD662C~1.EXE
2516	svchost.com
2824	FD662C~1.EXE
2736	svchost.com
2876	FD662C~1.EXE
2728	svchost.com
2844	FD662C~1.EXE
2860	svchost.com
2648	FD662C~1.EXE
2672	svchost.com
2080	FD662C~1.EXE
2040	svchost.com
2716	FD662C~1.EXE
1424	svchost.com
936	FD662C~1.EXE
2664	svchost.com
1252	FD662C~1.EXE
2584	svchost.com
1300	FD662C~1.EXE
1188	svchost.com
2944	FD662C~1.EXE
2948	svchost.com
1592	FD662C~1.EXE
2056	svchost.com
2164	FD662C~1.EXE
2932	svchost.com
2424	FD662C~1.EXE
2936	svchost.com
2576	FD662C~1.EXE
596	svchost.com
2556	FD662C~1.EXE
3036	svchost.com
2784	FD662C~1.EXE
1532	svchost.com
2312	FD662C~1.EXE
1768	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2880	svchost.com
2880	svchost.com
2832	svchost.com
2832	svchost.com
2756	svchost.com
2756	svchost.com
2652	svchost.com
2652	svchost.com
2640	svchost.com
2640	svchost.com
748	svchost.com
748	svchost.com
1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
1996	svchost.com
1996	svchost.com
1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
1912	svchost.com
1912	svchost.com
2180	svchost.com
2180	svchost.com
2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
1044	svchost.com
1044	svchost.com
1268	svchost.com
1268	svchost.com
3024	svchost.com
3024	svchost.com
1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
560	svchost.com
560	svchost.com
2272	svchost.com
2272	svchost.com
2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2516	svchost.com
2516	svchost.com
2736	svchost.com
2736	svchost.com
2728	svchost.com
2728	svchost.com
1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2860	svchost.com
2860	svchost.com
2672	svchost.com
2672	svchost.com
2040	svchost.com
2040	svchost.com
1424	svchost.com
1424	svchost.com
2664	svchost.com
2664	svchost.com
2584	svchost.com
2584	svchost.com
1188	svchost.com
1188	svchost.com
2948	svchost.com
2948	svchost.com
2056	svchost.com
2056	svchost.com
2932	svchost.com
2932	svchost.com
2936	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1732	2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	30
PID 2396 wrote to memory of 1732	2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	30
PID 2396 wrote to memory of 1732	2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	30
PID 2396 wrote to memory of 1732	2396	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	30
PID 1732 wrote to memory of 2880	1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	31
PID 1732 wrote to memory of 2880	1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	31
PID 1732 wrote to memory of 2880	1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	31
PID 1732 wrote to memory of 2880	1732	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	31
PID 2880 wrote to memory of 2220	2880	svchost.com	32
PID 2880 wrote to memory of 2220	2880	svchost.com	32
PID 2880 wrote to memory of 2220	2880	svchost.com	32
PID 2880 wrote to memory of 2220	2880	svchost.com	32
PID 2220 wrote to memory of 2832	2220	FD662C~1.EXE	33
PID 2220 wrote to memory of 2832	2220	FD662C~1.EXE	33
PID 2220 wrote to memory of 2832	2220	FD662C~1.EXE	33
PID 2220 wrote to memory of 2832	2220	FD662C~1.EXE	33
PID 2832 wrote to memory of 2720	2832	svchost.com	34
PID 2832 wrote to memory of 2720	2832	svchost.com	34
PID 2832 wrote to memory of 2720	2832	svchost.com	34
PID 2832 wrote to memory of 2720	2832	svchost.com	34
PID 2720 wrote to memory of 2756	2720	FD662C~1.EXE	35
PID 2720 wrote to memory of 2756	2720	FD662C~1.EXE	35
PID 2720 wrote to memory of 2756	2720	FD662C~1.EXE	35
PID 2720 wrote to memory of 2756	2720	FD662C~1.EXE	35
PID 2756 wrote to memory of 2636	2756	svchost.com	36
PID 2756 wrote to memory of 2636	2756	svchost.com	36
PID 2756 wrote to memory of 2636	2756	svchost.com	36
PID 2756 wrote to memory of 2636	2756	svchost.com	36
PID 2636 wrote to memory of 2652	2636	FD662C~1.EXE	37
PID 2636 wrote to memory of 2652	2636	FD662C~1.EXE	37
PID 2636 wrote to memory of 2652	2636	FD662C~1.EXE	37
PID 2636 wrote to memory of 2652	2636	FD662C~1.EXE	37
PID 2652 wrote to memory of 2668	2652	svchost.com	38
PID 2652 wrote to memory of 2668	2652	svchost.com	38
PID 2652 wrote to memory of 2668	2652	svchost.com	38
PID 2652 wrote to memory of 2668	2652	svchost.com	38
PID 2668 wrote to memory of 2640	2668	FD662C~1.EXE	39
PID 2668 wrote to memory of 2640	2668	FD662C~1.EXE	39
PID 2668 wrote to memory of 2640	2668	FD662C~1.EXE	39
PID 2668 wrote to memory of 2640	2668	FD662C~1.EXE	39
PID 2640 wrote to memory of 1936	2640	svchost.com	114
PID 2640 wrote to memory of 1936	2640	svchost.com	114
PID 2640 wrote to memory of 1936	2640	svchost.com	114
PID 2640 wrote to memory of 1936	2640	svchost.com	114
PID 1936 wrote to memory of 748	1936	FD662C~1.EXE	118
PID 1936 wrote to memory of 748	1936	FD662C~1.EXE	118
PID 1936 wrote to memory of 748	1936	FD662C~1.EXE	118
PID 1936 wrote to memory of 748	1936	FD662C~1.EXE	118
PID 748 wrote to memory of 1252	748	svchost.com	74
PID 748 wrote to memory of 1252	748	svchost.com	74
PID 748 wrote to memory of 1252	748	svchost.com	74
PID 748 wrote to memory of 1252	748	svchost.com	74
PID 1252 wrote to memory of 1996	1252	FD662C~1.EXE	43
PID 1252 wrote to memory of 1996	1252	FD662C~1.EXE	43
PID 1252 wrote to memory of 1996	1252	FD662C~1.EXE	43
PID 1252 wrote to memory of 1996	1252	FD662C~1.EXE	43
PID 1996 wrote to memory of 276	1996	svchost.com	44
PID 1996 wrote to memory of 276	1996	svchost.com	44
PID 1996 wrote to memory of 276	1996	svchost.com	44
PID 1996 wrote to memory of 276	1996	svchost.com	44
PID 276 wrote to memory of 1912	276	FD662C~1.EXE	45
PID 276 wrote to memory of 1912	276	FD662C~1.EXE	45
PID 276 wrote to memory of 1912	276	FD662C~1.EXE	45
PID 276 wrote to memory of 1912	276	FD662C~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
"C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        66⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        67⤵
        Drops file in Windows directory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        69⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        70⤵
        
        PID:848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        71⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        72⤵
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        73⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        74⤵
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        76⤵
        Drops file in Windows directory
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        77⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        78⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        79⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        80⤵
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        81⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        82⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        83⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        84⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        85⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        86⤵
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        88⤵
        
        PID:264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        89⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        90⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        91⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        92⤵
        
        PID:808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        93⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        94⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        95⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        96⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        97⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        98⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        99⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        100⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        101⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        102⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        104⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        105⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        106⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        107⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        109⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        110⤵
        Drops file in Windows directory
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        111⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        112⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        113⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        114⤵
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        115⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        116⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        117⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        118⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        119⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        120⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        121⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        122⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        123⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        125⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        126⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        127⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        128⤵
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        129⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        131⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        132⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        133⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        134⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        135⤵
        Drops file in Windows directory
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        136⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        137⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        140⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        142⤵
        Drops file in Windows directory
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        143⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        144⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        145⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        146⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        147⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        148⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        149⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        150⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        151⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        152⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        153⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        154⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        155⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        156⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        157⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        158⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        159⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        160⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        161⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        162⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        163⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        164⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        167⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        168⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        169⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        170⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        171⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        172⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        173⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        174⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        175⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        176⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        177⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        178⤵
        
        PID:288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        179⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        180⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        182⤵
        Drops file in Windows directory
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        183⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        184⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        185⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        186⤵
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        187⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        188⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        189⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        190⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        191⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        192⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        193⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        194⤵
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        196⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        197⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        198⤵
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        199⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        200⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        201⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        202⤵
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        204⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        205⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        206⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        207⤵
        Drops file in Windows directory
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        208⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        209⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        210⤵
        Drops file in Windows directory
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        211⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        212⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        213⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        214⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        215⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        217⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        218⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        219⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        220⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        221⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        222⤵
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        225⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        226⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        227⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        228⤵
        Drops file in Windows directory
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        230⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        231⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        234⤵
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        235⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        236⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        237⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        238⤵
        
        PID:616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        239⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        240⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        241⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        242⤵
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        243⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        245⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        246⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        248⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        250⤵
        Drops file in Windows directory
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        251⤵
        Drops file in Windows directory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        252⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        253⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        255⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        256⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        257⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        258⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        259⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        260⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        261⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        262⤵
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        263⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        265⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        266⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        267⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        268⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        269⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        270⤵
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        271⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        272⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        273⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        274⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        275⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        276⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        277⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        278⤵
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        281⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        282⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        283⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        284⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        285⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        286⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        287⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        289⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        290⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        291⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        292⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        293⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        294⤵
        Drops file in Windows directory
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        295⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        297⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        298⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        299⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        302⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        303⤵
        Drops file in Windows directory
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        304⤵
        Drops file in Windows directory
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        305⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        306⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        307⤵
        Drops file in Windows directory
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        308⤵
        Drops file in Windows directory
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        309⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        310⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        311⤵
        Drops file in Windows directory
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        312⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        313⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        314⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        315⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        316⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        317⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        318⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        319⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        320⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        321⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        322⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        323⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        324⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        325⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        326⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        327⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        328⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        330⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        331⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        332⤵
        
        PID:272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        333⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        335⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        336⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        337⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        338⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        340⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        341⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        342⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        343⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        344⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        345⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        347⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        349⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        350⤵
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        351⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        352⤵
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        353⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        354⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        355⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        357⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        359⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        360⤵
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        361⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        363⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        364⤵
        Drops file in Windows directory
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        365⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        366⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        367⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        368⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        369⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        370⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        371⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        372⤵
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        373⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        374⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        376⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        377⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        378⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        380⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        381⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        382⤵
        
        PID:560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        383⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        384⤵
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        385⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        386⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        388⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        389⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        390⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        391⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        392⤵
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        393⤵
        Drops file in Windows directory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        394⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        395⤵
        Drops file in Windows directory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        396⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        397⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        398⤵
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        399⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        400⤵
        
        PID:2456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        401⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        402⤵
        Drops file in Windows directory
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        403⤵
        Drops file in Windows directory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        404⤵
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        405⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        406⤵
        
        PID:808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        407⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        408⤵
        
        PID:348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        409⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        410⤵
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        411⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        412⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        413⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        414⤵
        Drops file in Windows directory
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        415⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        416⤵
        Drops file in Windows directory
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        417⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        418⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        419⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        420⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        421⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        422⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        423⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        424⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        425⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        426⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        427⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        428⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        429⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        430⤵
        Drops file in Windows directory
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        431⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        432⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        433⤵
        Drops file in Windows directory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        434⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        435⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        436⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        437⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        438⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        439⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        440⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        441⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        442⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        443⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        444⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        445⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        446⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        447⤵
        Drops file in Windows directory
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        448⤵
        Drops file in Windows directory
        
        PID:528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        449⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        450⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        451⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        452⤵
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        453⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        454⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        455⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        456⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        457⤵
        Drops file in Windows directory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        458⤵
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        459⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        460⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        461⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        462⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        463⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        464⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        465⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        466⤵
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        467⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        468⤵
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        469⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        470⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        471⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        472⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        473⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        474⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        475⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        476⤵
        Drops file in Windows directory
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        477⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        478⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        479⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        480⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        481⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        482⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        483⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        484⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        485⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        486⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        487⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        488⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        489⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        490⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        491⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        492⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        493⤵
        Drops file in Windows directory
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        494⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        495⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        496⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        497⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        498⤵
        
        PID:264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        499⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        500⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        501⤵
        Drops file in Windows directory
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        503⤵
        Drops file in Windows directory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        504⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        505⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        506⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        507⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        508⤵
        Drops file in Windows directory
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        509⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        510⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        511⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        512⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        513⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        514⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        515⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        516⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        517⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        518⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        519⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        520⤵
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        521⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        522⤵
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        523⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        524⤵
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        525⤵
        Drops file in Windows directory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        526⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        527⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        528⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        529⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        530⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        531⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        532⤵
        Drops file in Windows directory
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        533⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        534⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        535⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        536⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        537⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        538⤵
        
        PID:552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        539⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        540⤵
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        541⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        542⤵
        
        PID:660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        543⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        544⤵
        
        PID:564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        545⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        546⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        547⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        548⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        549⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        550⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        551⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        552⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        553⤵
        Drops file in Windows directory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        554⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        555⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        556⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        557⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        558⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        559⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        560⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        561⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        562⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        563⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        564⤵
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        565⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        566⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        567⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        568⤵
        
        PID:560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        569⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        570⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        571⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        572⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        573⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        574⤵
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        575⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        576⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        577⤵
        Drops file in Windows directory
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        578⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        579⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        580⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        581⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        582⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        583⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        584⤵
        Drops file in Windows directory
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        585⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        586⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        587⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        588⤵
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        589⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        590⤵
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        591⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        592⤵
        
        PID:2584

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16543595711343422192-178109681814065964151475134057-723445838-1426576332885158646"
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
ef407e57ff5f479834048ed0689a9005

SHA1
84345aa2990f760a74ca346504f3a110d61be769

SHA256
017353dbaabb5e4f3205573df2e89dd652c9f63e38074c5fa21704c48b15918f

SHA512
56bcc330e5f0411cc907ec0b910405e55be750b02093ce202a9365d77a5578e01ed75c8f156db0c4d8877d8bba5f3b26bf675dc9aad6c33523ef896fd98b3147

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a4976519439254ea7f40d9c8aaf3b42e

SHA1
f42b2f977c2498a9705bfc337d90fd79495d79fc

SHA256
b0395474d847b8729864e79346792aba77996fb847fc8a146d609fd2a8500cfb

SHA512
2385470d6fd19a170c89eff3a2462ff0960724e6716bd7e432cee56cd811c306775cbfa7b118de5d41779f59663469320a0b8c07267be807280d3a050ea735ad

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
21a653f5da8c7b13d9a41277a03613d6

SHA1
b30699a9745f64328ff6cb0541244d5dff6c6e9a

SHA256
2b35f2e39759607412dfe4f5d934d0caf69eb96a39c3601ffc86e74bc726b1d6

SHA512
b38cbaae8eb5a2c944f144461424be3f57a42403ff83e2ade7522302e6d0c6cb1896ce2a1b8b40fd1d7c48128ad64a1fe689f7feae8e48643b80b23fffde8ee8

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
fdf02b51e6dd28873c21c55e22d276a0

SHA1
435ee11bd78ab2946ba1da65fa0e478135d87ce3

SHA256
7232825710bfe15014cbc196ccbbfe69c1a649fb00abcf16104dfd071dfc510f

SHA512
cdf5e8d55f07c3c9410f698604e3fb8f5cd9462319a936a5be29aa7e439e6dcdfbcd2174eb268d23927996074b0f574d4a4b52c47ad6259743c0741ee9683a12

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
837625c937c93f660ebea9a810fe8f45

SHA1
f6446f892333ca2ebb8ece4fbbb150ed97c54e74

SHA256
b4ed11330c4889e37122a9eda274badc2f11c80ace26d11ecf29e60da51e36c3

SHA512
235a610d3931b7b62199d9058b804636faa93d2e75e3c4a2383ca753e370185eed2db3f6acd0907f3fddc0c0717be1d3b4457b058f0c0ae22e74d260e5de5fe7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
19feeebcfb818724752cc00ce9d2bd1b

SHA1
56d62cba9ffc38997c7cb637f0f365d899ba8f27

SHA256
abcd71656c9b90220c118e6fb8e334d78e5f2ea0f02ddf64bd3f9d8f503539f0

SHA512
cb23aca213be3da84ca0a5e254f750c60fa9b16a10e8b94f659aecbd837afad945671c525d55d476ac1c9be9df0628c6b9b78c85fe61e06185d6e5b81de85898

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Filesize
342KB

MD5
7ef0e707c6eeb711aad73ee0889d53e9

SHA1
e64c3e990891817e0d8bc9cfa1af375d7715baf7

SHA256
dca0b776d9de5f91c2e66450fc6f37e31039d646fd249102cb4f6027917f2b44

SHA512
72f19a17d51e50996f61a96bbd5c7fdc5873129722fa4b07f4ca821260e0786355b183583fda1dccd1dd7370b45f1eb9062e831e81558a846504682b9ca6d46e

Download Submit
memory/276-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/560-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/596-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/848-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/936-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1044-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1252-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1252-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1300-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1424-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1556-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1912-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2080-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2832-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2944-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3024-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads