neshta | ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
Size

160KB
MD5

ed94aca012ef6b6d1405be64a5c21b80
SHA1

49cfcf3cc8b14b5ac196043258c69b50f4ab7219
SHA256

ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70a
SHA512

068b92d9a6d17ed2e25a63346b6608967773f7fdbe4859e235d278c1a92a70724eb89b95db215594442dc57158681014483ae10d39924eebb231637436b99b84
SSDEEP

3072:sr85CgOgoku2tn8ZepItrsG4vEFyTS+LGyr85C:k9gOgoV2tn8oorROEFsS+LG69

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019551-2.dat	family_neshta
behavioral1/files/0x000700000001955c-15.dat	family_neshta
behavioral1/files/0x0001000000010315-20.dat	family_neshta
behavioral1/files/0x0001000000010313-19.dat	family_neshta
behavioral1/files/0x000400000001033b-18.dat	family_neshta
behavioral1/files/0x000d000000010685-17.dat	family_neshta
behavioral1/memory/1444-31-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2264-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2896-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2812-45-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2688-59-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3044-58-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2680-73-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1292-72-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2520-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1812-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3016-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2772-115-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1244-114-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f77a-142.dat	family_neshta
behavioral1/memory/2076-132-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1772-131-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7ce-146.dat	family_neshta
behavioral1/memory/1236-150-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2512-157-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1716-162-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2412-161-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/268-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2224-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1868-197-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1668-198-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1492-205-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1768-204-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1988-222-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1780-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1748-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2388-231-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1556-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2608-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2116-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2252-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2404-281-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2936-282-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2240-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2876-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2820-308-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2724-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2548-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2560-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2480-337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2784-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2956-345-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1256-344-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3020-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2996-352-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1272-360-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1908-361-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1980-369-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2992-368-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2500-376-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/660-377-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1152-385-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2512-384-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1444	svchost.com
2264	CE6676~1.EXE
2812	svchost.com
2896	CE6676~1.EXE
2688	svchost.com
3044	CE6676~1.EXE
1292	svchost.com
2680	CE6676~1.EXE
1700	svchost.com
2520	CE6676~1.EXE
1812	svchost.com
3016	CE6676~1.EXE
1244	svchost.com
2772	CE6676~1.EXE
2076	svchost.com
1772	CE6676~1.EXE
1236	svchost.com
2512	CE6676~1.EXE
2412	svchost.com
1716	CE6676~1.EXE
268	svchost.com
2224	CE6676~1.EXE
1868	svchost.com
1668	CE6676~1.EXE
1492	svchost.com
1768	CE6676~1.EXE
1780	svchost.com
1988	CE6676~1.EXE
1748	svchost.com
2388	CE6676~1.EXE
1556	svchost.com
2608	CE6676~1.EXE
2116	svchost.com
2252	CE6676~1.EXE
2936	svchost.com
2404	CE6676~1.EXE
2240	svchost.com
2876	CE6676~1.EXE
2724	svchost.com
2820	CE6676~1.EXE
2560	svchost.com
2548	CE6676~1.EXE
2784	svchost.com
2480	CE6676~1.EXE
2956	svchost.com
1256	CE6676~1.EXE
3020	svchost.com
2996	CE6676~1.EXE
1272	svchost.com
1908	CE6676~1.EXE
1980	svchost.com
2992	CE6676~1.EXE
660	svchost.com
2500	CE6676~1.EXE
1152	svchost.com
2512	CE6676~1.EXE
2492	svchost.com
448	CE6676~1.EXE
2864	svchost.com
268	CE6676~1.EXE
2224	svchost.com
2012	CE6676~1.EXE
1596	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1444	svchost.com
1444	svchost.com
2812	svchost.com
2812	svchost.com
2688	svchost.com
2688	svchost.com
1292	svchost.com
1292	svchost.com
1700	svchost.com
1700	svchost.com
1812	svchost.com
1812	svchost.com
1244	svchost.com
1244	svchost.com
2076	svchost.com
2076	svchost.com
1236	svchost.com
1236	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
2412	svchost.com
2412	svchost.com
2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
268	svchost.com
268	svchost.com
2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1868	svchost.com
1868	svchost.com
1492	svchost.com
1492	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1780	svchost.com
1780	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1748	svchost.com
1748	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
1556	svchost.com
1556	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
2116	svchost.com
2116	svchost.com
2936	svchost.com
2936	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
2240	svchost.com
2240	svchost.com
2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
2724	svchost.com
2724	svchost.com
2560	svchost.com
2560	svchost.com
2784	svchost.com
2784	svchost.com
2956	svchost.com
2956	svchost.com
3020	svchost.com
3020	svchost.com
1272	svchost.com
1272	svchost.com
1980	svchost.com
1980	svchost.com
660	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	CE6676~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE6676~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2124	2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	30
PID 2392 wrote to memory of 2124	2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	30
PID 2392 wrote to memory of 2124	2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	30
PID 2392 wrote to memory of 2124	2392	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	30
PID 2124 wrote to memory of 1444	2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	31
PID 2124 wrote to memory of 1444	2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	31
PID 2124 wrote to memory of 1444	2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	31
PID 2124 wrote to memory of 1444	2124	ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe	31
PID 1444 wrote to memory of 2264	1444	svchost.com	32
PID 1444 wrote to memory of 2264	1444	svchost.com	32
PID 1444 wrote to memory of 2264	1444	svchost.com	32
PID 1444 wrote to memory of 2264	1444	svchost.com	32
PID 2264 wrote to memory of 2812	2264	CE6676~1.EXE	33
PID 2264 wrote to memory of 2812	2264	CE6676~1.EXE	33
PID 2264 wrote to memory of 2812	2264	CE6676~1.EXE	33
PID 2264 wrote to memory of 2812	2264	CE6676~1.EXE	33
PID 2812 wrote to memory of 2896	2812	svchost.com	34
PID 2812 wrote to memory of 2896	2812	svchost.com	34
PID 2812 wrote to memory of 2896	2812	svchost.com	34
PID 2812 wrote to memory of 2896	2812	svchost.com	34
PID 2896 wrote to memory of 2688	2896	CE6676~1.EXE	35
PID 2896 wrote to memory of 2688	2896	CE6676~1.EXE	35
PID 2896 wrote to memory of 2688	2896	CE6676~1.EXE	35
PID 2896 wrote to memory of 2688	2896	CE6676~1.EXE	35
PID 2688 wrote to memory of 3044	2688	svchost.com	36
PID 2688 wrote to memory of 3044	2688	svchost.com	36
PID 2688 wrote to memory of 3044	2688	svchost.com	36
PID 2688 wrote to memory of 3044	2688	svchost.com	36
PID 3044 wrote to memory of 1292	3044	CE6676~1.EXE	37
PID 3044 wrote to memory of 1292	3044	CE6676~1.EXE	37
PID 3044 wrote to memory of 1292	3044	CE6676~1.EXE	37
PID 3044 wrote to memory of 1292	3044	CE6676~1.EXE	37
PID 1292 wrote to memory of 2680	1292	svchost.com	118
PID 1292 wrote to memory of 2680	1292	svchost.com	118
PID 1292 wrote to memory of 2680	1292	svchost.com	118
PID 1292 wrote to memory of 2680	1292	svchost.com	118
PID 2680 wrote to memory of 1700	2680	CE6676~1.EXE	39
PID 2680 wrote to memory of 1700	2680	CE6676~1.EXE	39
PID 2680 wrote to memory of 1700	2680	CE6676~1.EXE	39
PID 2680 wrote to memory of 1700	2680	CE6676~1.EXE	39
PID 1700 wrote to memory of 2520	1700	svchost.com	40
PID 1700 wrote to memory of 2520	1700	svchost.com	40
PID 1700 wrote to memory of 2520	1700	svchost.com	40
PID 1700 wrote to memory of 2520	1700	svchost.com	40
PID 2520 wrote to memory of 1812	2520	CE6676~1.EXE	41
PID 2520 wrote to memory of 1812	2520	CE6676~1.EXE	41
PID 2520 wrote to memory of 1812	2520	CE6676~1.EXE	41
PID 2520 wrote to memory of 1812	2520	CE6676~1.EXE	41
PID 1812 wrote to memory of 3016	1812	svchost.com	125
PID 1812 wrote to memory of 3016	1812	svchost.com	125
PID 1812 wrote to memory of 3016	1812	svchost.com	125
PID 1812 wrote to memory of 3016	1812	svchost.com	125
PID 3016 wrote to memory of 1244	3016	CE6676~1.EXE	43
PID 3016 wrote to memory of 1244	3016	CE6676~1.EXE	43
PID 3016 wrote to memory of 1244	3016	CE6676~1.EXE	43
PID 3016 wrote to memory of 1244	3016	CE6676~1.EXE	43
PID 1244 wrote to memory of 2772	1244	svchost.com	44
PID 1244 wrote to memory of 2772	1244	svchost.com	44
PID 1244 wrote to memory of 2772	1244	svchost.com	44
PID 1244 wrote to memory of 2772	1244	svchost.com	44
PID 2772 wrote to memory of 2076	2772	CE6676~1.EXE	129
PID 2772 wrote to memory of 2076	2772	CE6676~1.EXE	129
PID 2772 wrote to memory of 2076	2772	CE6676~1.EXE	129
PID 2772 wrote to memory of 2076	2772	CE6676~1.EXE	129

C:\Users\Admin\AppData\Local\Temp\ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
"C:\Users\Admin\AppData\Local\Temp\ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\3582-490\ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        67⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        68⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        69⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        70⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        71⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        72⤵
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        73⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        74⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        75⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        76⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        77⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        78⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        79⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        80⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        81⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        82⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        83⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        84⤵
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        86⤵
        Drops file in Windows directory
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        87⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        88⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        89⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        90⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        91⤵
        Drops file in Windows directory
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        93⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        94⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        97⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        98⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        99⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        100⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        101⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        102⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        103⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        104⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        105⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        106⤵
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        108⤵
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        109⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        110⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        111⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        114⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        115⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        116⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        117⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        118⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        119⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        120⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        121⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        122⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        123⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        125⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        126⤵
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        127⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        128⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        130⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        131⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        132⤵
        Drops file in Windows directory
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        133⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        134⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        135⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        136⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        137⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        138⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        141⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        142⤵
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        143⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        144⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        145⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        146⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        147⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        149⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        150⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        152⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        153⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        154⤵
        Drops file in Windows directory
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        156⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        159⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        160⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        161⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        162⤵
        Drops file in Windows directory
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        163⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        165⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        166⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        168⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        169⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        170⤵
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        171⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        172⤵
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        174⤵
        Drops file in Windows directory
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        175⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        176⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        177⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        178⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        179⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        180⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        181⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        182⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        184⤵
        
        PID:2240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        185⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        186⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        187⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        188⤵
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        189⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        190⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        191⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        192⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        193⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        194⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        195⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        196⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        197⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        198⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        200⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        201⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        202⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        203⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        204⤵
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        205⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        206⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        207⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        208⤵
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        209⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        210⤵
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        211⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        212⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        213⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        214⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        215⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        216⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        217⤵
        Drops file in Windows directory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        218⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        219⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        220⤵
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        222⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        225⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        226⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        227⤵
        Drops file in Windows directory
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        229⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        231⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        232⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        234⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        235⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        236⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        237⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        238⤵
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        239⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        240⤵
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        241⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        242⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        244⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        245⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        246⤵
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        247⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        248⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        249⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        250⤵
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        251⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        252⤵
        Drops file in Windows directory
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        253⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        255⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        256⤵
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        257⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        258⤵
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        259⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        261⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        262⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        263⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        264⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        265⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        268⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        270⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        271⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        272⤵
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        273⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        274⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        275⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        276⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        277⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        278⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        279⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        280⤵
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        281⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        282⤵
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        283⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        284⤵
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        285⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        286⤵
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        287⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        289⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        290⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        291⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        292⤵
        
        PID:1440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        293⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        294⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        295⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        296⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        297⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        298⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        299⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        300⤵
        Drops file in Windows directory
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        301⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        302⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        303⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        304⤵
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        305⤵
        Drops file in Windows directory
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        306⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        307⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        308⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        309⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        310⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        311⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        312⤵
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        313⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        314⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        316⤵
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        317⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        318⤵
        
        PID:2776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        319⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        320⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        321⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        322⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        323⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        324⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        325⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        326⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        327⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        328⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        329⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        330⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        331⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        332⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        333⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        334⤵
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        335⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        336⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        337⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        338⤵
        Drops file in Windows directory
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        339⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        340⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        341⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        342⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        343⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        344⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        345⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        347⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        348⤵
        Drops file in Windows directory
        
        PID:340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        349⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        351⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        352⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        353⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        354⤵
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        355⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        356⤵
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        357⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        358⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        360⤵
        Drops file in Windows directory
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        361⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        362⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        363⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        364⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        366⤵
        
        PID:484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        367⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        369⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        370⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        371⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        372⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        373⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        374⤵
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        376⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        377⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        378⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        379⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        380⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        381⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        382⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        383⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        384⤵
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        385⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        386⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        387⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        390⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        391⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        392⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        393⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        394⤵
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        395⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        396⤵
        Drops file in Windows directory
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        397⤵
        Drops file in Windows directory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        398⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        399⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        400⤵
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        401⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        402⤵
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        403⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        404⤵
        
        PID:1288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        405⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        406⤵
        Drops file in Windows directory
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        407⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        408⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        409⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        410⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        411⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        412⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        413⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        414⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        415⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        416⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        417⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        418⤵
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        419⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        420⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        421⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        422⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        423⤵
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        424⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        425⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        426⤵
        Drops file in Windows directory
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        427⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        428⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        429⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        430⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        431⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        432⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        433⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        434⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        435⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        436⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        437⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        438⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        439⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        440⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        441⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        442⤵
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        443⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        444⤵
        
        PID:660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        445⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        446⤵
        
        PID:848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        447⤵
        Drops file in Windows directory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        448⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        449⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        450⤵
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        451⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        452⤵
        Drops file in Windows directory
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        453⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        454⤵
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        455⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        456⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        457⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        458⤵
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        459⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        460⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        461⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        462⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        463⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        464⤵
        Drops file in Windows directory
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        465⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        466⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        467⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        468⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        469⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        470⤵
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        471⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        472⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        473⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        474⤵
        
        PID:2240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        475⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        476⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        477⤵
        Drops file in Windows directory
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        478⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        479⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        480⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        481⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        482⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        483⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        484⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        485⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        486⤵
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        487⤵
        Drops file in Windows directory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        488⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        490⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        491⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        492⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        493⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        494⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        495⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        496⤵
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        497⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        498⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        499⤵
        Drops file in Windows directory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        500⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        501⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        503⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        504⤵
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        505⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        506⤵
        Drops file in Windows directory
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        507⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        508⤵
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        509⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        510⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        511⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        512⤵
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        513⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        514⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        515⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        516⤵
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        517⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        518⤵
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        519⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        520⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        521⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        522⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        523⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        524⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        525⤵
        Drops file in Windows directory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE
        526⤵
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CE6676~1.EXE"
        527⤵
        
        PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
422KB

MD5
8bb6d1d1f40099aa6a629fbb036a8cb3

SHA1
8b388ca335032e3b04b0a7d1351ce25c61b4ba52

SHA256
a89419fc4ba9bf5f7ac6b348428ee57403fec3b5964f9e49b6eea49d779f4071

SHA512
3015b210c79a4c61143fa56d62caabc5aebfe8d95b20753aa7f52ed0bcd4faf801134e5ee614c3714d95da666e0548f88db4d3df96d6d7e0e124c5a5add23a81

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
d7668fee002ef44479fe96e895745cdf

SHA1
06dc4d41929528de431a3a8884a0f720ec4997b3

SHA256
fbfa381db2068b120151b5d9f85d28a9e10d4443fdc13e005ace0329369ff8ec

SHA512
a1edb3b85e71043194d0c84353f925e3888f4a91936d9a17e18fe3d991176a64fd170f6b852c4c8a56a7dd879dae6f9c9bae1bf2031a5f4a1b52475c1f165d25

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\ce667665bc9e83098c06cc2f545a22f5df45c2b596561e7113a60610475fb70aN.exe

Filesize
120KB

MD5
7b8705687e892b270c6b5f6c02419a17

SHA1
887e57af6de80dadbfcd59965110a0b382ec66c0

SHA256
2f4e0650c3200400082f53aa12de09edb33cf9367413b896ccf64536a21c7bda

SHA512
70dfefef53f5d8ef96e185acf131112cf8e35708cce944fc891d0baed9aac753854faac47bf6d4ceb8041e2a2a9f2dfd396ad658b756cffece2c2ffac4ef9a85

Download Submit
memory/268-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/268-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/448-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/660-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/872-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1152-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1236-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1244-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1256-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1272-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1292-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1444-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1556-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1596-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1668-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1716-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1780-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1868-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2116-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2388-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-161-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2480-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2492-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2560-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2680-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2724-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2812-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads