neshta | ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Size

334KB
MD5

cbd55ec0a11cf6344414b28037fed7ab
SHA1

a2b66415e19f7a5c055c656fe3b717602fcb89e5
SHA256

ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5
SHA512

5a1ff9f7a8b4fffa10d827da20a4ef7101e6a55f023ed0574a63527d91cb516eac4884190abc505c100254922b6e750c76734438406d06196d4fca5596363c21
SSDEEP

3072:zr8WDrCoMeyoRJLc15QIvoKHcfAn8L2eoH0vuHimNdEMXH5yO4LP6gg/uYKr8WD2:PuRGLWoKHIAn8wuYNj5yO+6luYyu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2404	svchost.com
2864	FFE8EB~1.EXE
576	svchost.com
2840	FFE8EB~1.EXE
2472	svchost.com
2828	FFE8EB~1.EXE
2272	svchost.com
2816	FFE8EB~1.EXE
2596	svchost.com
2000	FFE8EB~1.EXE
940	svchost.com
3032	FFE8EB~1.EXE
2060	svchost.com
2920	FFE8EB~1.EXE
1820	svchost.com
1308	FFE8EB~1.EXE
2220	svchost.com
1872	FFE8EB~1.EXE
1536	svchost.com
1104	FFE8EB~1.EXE
2080	svchost.com
548	FFE8EB~1.EXE
924	svchost.com
1124	FFE8EB~1.EXE
1048	svchost.com
2564	FFE8EB~1.EXE
884	svchost.com
2368	FFE8EB~1.EXE
2104	svchost.com
2912	FFE8EB~1.EXE
2380	svchost.com
3016	FFE8EB~1.EXE
2840	svchost.com
2332	FFE8EB~1.EXE
2756	svchost.com
2012	FFE8EB~1.EXE
2900	svchost.com
2272	FFE8EB~1.EXE
2668	svchost.com
2596	FFE8EB~1.EXE
644	svchost.com
1712	FFE8EB~1.EXE
2996	svchost.com
3032	FFE8EB~1.EXE
1312	svchost.com
1700	FFE8EB~1.EXE
2776	svchost.com
896	FFE8EB~1.EXE
540	svchost.com
1936	FFE8EB~1.EXE
2036	svchost.com
2168	FFE8EB~1.EXE
1308	svchost.com
2252	FFE8EB~1.EXE
2220	svchost.com
1016	FFE8EB~1.EXE
1264	svchost.com
1496	FFE8EB~1.EXE
1104	svchost.com
912	FFE8EB~1.EXE
956	svchost.com
1772	FFE8EB~1.EXE
968	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2404	svchost.com
2404	svchost.com
576	svchost.com
576	svchost.com
2472	svchost.com
2472	svchost.com
2272	svchost.com
2272	svchost.com
2596	svchost.com
2596	svchost.com
940	svchost.com
940	svchost.com
2060	svchost.com
2060	svchost.com
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
1820	svchost.com
1820	svchost.com
2220	svchost.com
2220	svchost.com
1536	svchost.com
1536	svchost.com
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2080	svchost.com
2080	svchost.com
924	svchost.com
924	svchost.com
1048	svchost.com
1048	svchost.com
2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
884	svchost.com
884	svchost.com
996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
2104	svchost.com
2104	svchost.com
2380	svchost.com
2380	svchost.com
2840	svchost.com
2840	svchost.com
2756	svchost.com
2756	svchost.com
2900	svchost.com
2900	svchost.com
2668	svchost.com
2668	svchost.com
644	svchost.com
644	svchost.com
2996	svchost.com
2996	svchost.com
1312	svchost.com
1312	svchost.com
2776	svchost.com
2776	svchost.com
540	svchost.com
540	svchost.com
2036	svchost.com
2036	svchost.com
1308	svchost.com
1308	svchost.com
2220	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 996	2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	30
PID 2148 wrote to memory of 996	2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	30
PID 2148 wrote to memory of 996	2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	30
PID 2148 wrote to memory of 996	2148	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	30
PID 996 wrote to memory of 2404	996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	31
PID 996 wrote to memory of 2404	996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	31
PID 996 wrote to memory of 2404	996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	31
PID 996 wrote to memory of 2404	996	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	31
PID 2404 wrote to memory of 2864	2404	svchost.com	32
PID 2404 wrote to memory of 2864	2404	svchost.com	32
PID 2404 wrote to memory of 2864	2404	svchost.com	32
PID 2404 wrote to memory of 2864	2404	svchost.com	32
PID 2864 wrote to memory of 576	2864	FFE8EB~1.EXE	33
PID 2864 wrote to memory of 576	2864	FFE8EB~1.EXE	33
PID 2864 wrote to memory of 576	2864	FFE8EB~1.EXE	33
PID 2864 wrote to memory of 576	2864	FFE8EB~1.EXE	33
PID 576 wrote to memory of 2840	576	svchost.com	64
PID 576 wrote to memory of 2840	576	svchost.com	64
PID 576 wrote to memory of 2840	576	svchost.com	64
PID 576 wrote to memory of 2840	576	svchost.com	64
PID 2840 wrote to memory of 2472	2840	FFE8EB~1.EXE	35
PID 2840 wrote to memory of 2472	2840	FFE8EB~1.EXE	35
PID 2840 wrote to memory of 2472	2840	FFE8EB~1.EXE	35
PID 2840 wrote to memory of 2472	2840	FFE8EB~1.EXE	35
PID 2472 wrote to memory of 2828	2472	svchost.com	36
PID 2472 wrote to memory of 2828	2472	svchost.com	36
PID 2472 wrote to memory of 2828	2472	svchost.com	36
PID 2472 wrote to memory of 2828	2472	svchost.com	36
PID 2828 wrote to memory of 2272	2828	FFE8EB~1.EXE	113
PID 2828 wrote to memory of 2272	2828	FFE8EB~1.EXE	113
PID 2828 wrote to memory of 2272	2828	FFE8EB~1.EXE	113
PID 2828 wrote to memory of 2272	2828	FFE8EB~1.EXE	113
PID 2272 wrote to memory of 2816	2272	svchost.com	38
PID 2272 wrote to memory of 2816	2272	svchost.com	38
PID 2272 wrote to memory of 2816	2272	svchost.com	38
PID 2272 wrote to memory of 2816	2272	svchost.com	38
PID 2816 wrote to memory of 2596	2816	FFE8EB~1.EXE	71
PID 2816 wrote to memory of 2596	2816	FFE8EB~1.EXE	71
PID 2816 wrote to memory of 2596	2816	FFE8EB~1.EXE	71
PID 2816 wrote to memory of 2596	2816	FFE8EB~1.EXE	71
PID 2596 wrote to memory of 2000	2596	svchost.com	40
PID 2596 wrote to memory of 2000	2596	svchost.com	40
PID 2596 wrote to memory of 2000	2596	svchost.com	40
PID 2596 wrote to memory of 2000	2596	svchost.com	40
PID 2000 wrote to memory of 940	2000	FFE8EB~1.EXE	41
PID 2000 wrote to memory of 940	2000	FFE8EB~1.EXE	41
PID 2000 wrote to memory of 940	2000	FFE8EB~1.EXE	41
PID 2000 wrote to memory of 940	2000	FFE8EB~1.EXE	41
PID 940 wrote to memory of 3032	940	svchost.com	75
PID 940 wrote to memory of 3032	940	svchost.com	75
PID 940 wrote to memory of 3032	940	svchost.com	75
PID 940 wrote to memory of 3032	940	svchost.com	75
PID 3032 wrote to memory of 2060	3032	FFE8EB~1.EXE	43
PID 3032 wrote to memory of 2060	3032	FFE8EB~1.EXE	43
PID 3032 wrote to memory of 2060	3032	FFE8EB~1.EXE	43
PID 3032 wrote to memory of 2060	3032	FFE8EB~1.EXE	43
PID 2060 wrote to memory of 2920	2060	svchost.com	44
PID 2060 wrote to memory of 2920	2060	svchost.com	44
PID 2060 wrote to memory of 2920	2060	svchost.com	44
PID 2060 wrote to memory of 2920	2060	svchost.com	44
PID 2920 wrote to memory of 1820	2920	FFE8EB~1.EXE	45
PID 2920 wrote to memory of 1820	2920	FFE8EB~1.EXE	45
PID 2920 wrote to memory of 1820	2920	FFE8EB~1.EXE	45
PID 2920 wrote to memory of 1820	2920	FFE8EB~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
"C:\Users\Admin\AppData\Local\Temp\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        66⤵
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        67⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        69⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        70⤵
        Drops file in Windows directory
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        71⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        73⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        74⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        75⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        76⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        79⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        80⤵
        Drops file in Windows directory
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        81⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        82⤵
        Drops file in Windows directory
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        83⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        85⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        86⤵
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        87⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        88⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        90⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        91⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        92⤵
        
        PID:1312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        93⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        95⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        96⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        97⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        98⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        99⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        100⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        102⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        104⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        105⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        106⤵
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        107⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        108⤵
        Drops file in Windows directory
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        109⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        110⤵
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        111⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        112⤵
        Drops file in Windows directory
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        113⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        115⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        116⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        117⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        118⤵
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        119⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        120⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        121⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        124⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        128⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        129⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        130⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        131⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        133⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        134⤵
        Drops file in Windows directory
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        135⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        136⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        137⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        138⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        139⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        142⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        144⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        145⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        146⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        147⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        150⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        151⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        152⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        153⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        154⤵
        Drops file in Windows directory
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        155⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        156⤵
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        157⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        158⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        162⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        163⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        164⤵
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        165⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        166⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        167⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        168⤵
        Drops file in Windows directory
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        170⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        171⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        172⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        173⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        174⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        175⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        176⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        178⤵
        
        PID:1312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        179⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        181⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        182⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        183⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        184⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        185⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        186⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        188⤵
        
        PID:1128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        189⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        190⤵
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        191⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        192⤵
        
        PID:344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        194⤵
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        195⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        196⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        197⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        198⤵
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        199⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        200⤵
        Drops file in Windows directory
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        201⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        202⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        203⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        204⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        206⤵
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        207⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        208⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        209⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        210⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        211⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        212⤵
        Drops file in Windows directory
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        213⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        214⤵
        Drops file in Windows directory
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        215⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        216⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        217⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        219⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        220⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        222⤵
        Drops file in Windows directory
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        223⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        224⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        225⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        226⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        227⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        228⤵
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        229⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        231⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        232⤵
        
        PID:1128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        234⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        235⤵
        Drops file in Windows directory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        236⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        237⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        239⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        240⤵
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        241⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        242⤵
        Drops file in Windows directory
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        243⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        244⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        245⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        246⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        248⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        249⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        250⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        251⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        252⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        254⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        255⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        256⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        257⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        258⤵
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        261⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        262⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        263⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        264⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        265⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        266⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        268⤵
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        269⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        270⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        272⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        273⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        274⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        275⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        276⤵
        Drops file in Windows directory
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        277⤵
        Drops file in Windows directory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        278⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        279⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        280⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        282⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        283⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        287⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        288⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        290⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        292⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        293⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        296⤵
        Drops file in Windows directory
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        298⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        300⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        301⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        302⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        303⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        304⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        305⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        306⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        307⤵
        Drops file in Windows directory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        308⤵
        
        PID:1288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        309⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        310⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        311⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        312⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        313⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        314⤵
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        315⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        316⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        318⤵
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        319⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        320⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        321⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        322⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        323⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        327⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        328⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        329⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        330⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        331⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        332⤵
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
2142b0fff4fbaaaa52bb901730f4b58c

SHA1
8c139ed4e04bb6413200716f0567bf76262e3051

SHA256
da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54

SHA512
f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
7fc6761ca71bceb933fcfe06864aac5e

SHA1
40b2c8e82eec845ef471ae1f23bf5896cf0c1c9e

SHA256
b4d5b800b790653e9871caaac9cbca146fd45f3970fb3e87ded38cfe77c0f935

SHA512
a4564d46809f834c18ba2ca60d44eb78b4c76666346ae980e601343a9c026f5146ce55defb70feee88a85da9c7c067bce7e21e1e525392da3bd1f3ef6d38d350

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
1bd32548884b3c856e40b1c4b2c7c1be

SHA1
71a8934e6a93720734c5da3e573781804790916c

SHA256
e7c3ef83d115a98ef4387fce71db23af764c53fcfa97f3db80f7b5442f7e4291

SHA512
120c93b076e50bfc1ef7ac007d742c8d211d23db31444ae7d68ed25ca371e26830a6f5080c3bc40f1b1039e5ba05cdb715c213b07b4d41653cb6a48368101532

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
b850765b8c14581ce7f530af5f2fbd51

SHA1
880e465cdefe80f5ca4000b58a3b10cd5b37cd0c

SHA256
5d581c2884941148c835ca3ebe16c7389b8d2428904d3c506acff241bfab377b

SHA512
5eda1bb561fa4b024e82f471588102bb802435b937ff76f7ef5f5f3b3b8b623c88c32bfeb1b1c2acfeb907b97627ab0310be62be5e33253e826e86f5da0edd42

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7ec2df8eed735807665e080b1e126758

SHA1
645801588981cd22f692dfde9e011d50df16605a

SHA256
968a4d30bfaa55895362054e5077539d659866e80e4e0734e8cbd4a9cf6ad458

SHA512
cba30ae65d9667ed014d35b7755353563913d15c80fcd565f2900f0cb83486eb00ae3f8b43b041621045cebbd1923ad023aeb749dde84d3fe95a87b26de54235

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Filesize
293KB

MD5
951ff419093c67a230e04a1befe2a879

SHA1
e1a22515108a20276995d287321ea4437b8f6bf4

SHA256
a3338bbf32b2c707091e382e26e3ebdcecae8be341de2ab175b2bcd8ee1413c5

SHA512
68b47e5f23f6765cf2cd9dbd7d5c04460a7ba4f9b9413cb3695b9e58dfc4ae45e01cce07810b176ea5a3546697547a5508c4a4ff59bfe5a6bc16095fd6dfa4cb

Download Submit
memory/540-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/548-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/576-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/644-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/896-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/912-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/924-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/940-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/956-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/968-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1016-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1124-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1312-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1496-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2080-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads