neshta | a2e6bb1ddffedcbe082196ade2fd2742ee8b68658ba7bdf846c3be709f15fb4e

Analysis

max time kernel
23s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vaultFile11006347749467126253.exe
Size

4.1MB
MD5

a9dd2982d7f123950a6865bd7b59906a
SHA1

1f258810190dca1cfcc34dc3adfb083255f23330
SHA256

92b303f29d883e414190f1263ea4ad7a6e556dfab7d3e0fd91bbae133c125a52
SHA512

f15472a17653c585f6b4bf4be097119be01b2c77ecefe8271fd8024ba3ab51962fef40f13f395b4db534420846e9e80f35e3c13116f580cf3908daa0fc70ba4e
SSDEEP

49152:XEBgnnvHwB+yswrZr8mm6LhL02F989+SwEIe9by/uMnoVedHqCchacRcHkAQ6TU:LnvC+GkAJqDJRMI

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x00070000000174a6-2.dat	family_neshta
behavioral1/files/0x00070000000174c3-15.dat	family_neshta
behavioral1/files/0x0001000000010314-20.dat	family_neshta
behavioral1/memory/1216-39-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2216-38-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010312-19.dat	family_neshta
behavioral1/files/0x000700000001033a-18.dat	family_neshta
behavioral1/files/0x0022000000010678-17.dat	family_neshta
behavioral1/memory/2756-45-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2860-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2736-58-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3004-57-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2748-73-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2644-72-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2312-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2672-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7d3-97.dat	family_neshta
behavioral1/files/0x000100000000f7d8-100.dat	family_neshta
behavioral1/files/0x000100000000f776-103.dat	family_neshta
behavioral1/files/0x000100000000f7ca-106.dat	family_neshta
behavioral1/files/0x000100000000f7e6-109.dat	family_neshta
behavioral1/files/0x00010000000117fc-150.dat	family_neshta
behavioral1/files/0x0001000000010c12-147.dat	family_neshta
behavioral1/files/0x0001000000010361-144.dat	family_neshta
behavioral1/files/0x0001000000010b94-141.dat	family_neshta
behavioral1/files/0x00010000000114c5-138.dat	family_neshta
behavioral1/files/0x000100000000f872-135.dat	family_neshta
behavioral1/files/0x000100000000f82d-130.dat	family_neshta
behavioral1/files/0x000100000000f703-128.dat	family_neshta
behavioral1/memory/2040-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2868-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/592-168-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2000-167-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2148-194-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1868-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1108-196-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2932-197-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1396-209-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1880-210-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1860-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/780-222-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2596-250-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1104-251-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2788-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/400-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2076-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1980-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1216-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2696-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2816-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2740-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2860-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2832-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2648-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3004-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2632-322-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1752-328-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2104-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2500-336-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2876-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1492-338-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2700-347-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1640-346-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/976-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
1456	vaultFile11006347749467126253.exe
1216	svchost.com
2216	VAULTF~1.EXE
2756	svchost.com
2860	VAULTF~1.EXE
2736	svchost.com
3004	VAULTF~1.EXE
2748	svchost.com
2644	VAULTF~1.EXE
2312	svchost.com
2672	VAULTF~1.EXE
2040	svchost.com
2868	VAULTF~1.EXE
592	svchost.com
2000	VAULTF~1.EXE
2148	svchost.com
1868	VAULTF~1.EXE
2932	svchost.com
1108	VAULTF~1.EXE
1880	svchost.com
1396	VAULTF~1.EXE
1860	svchost.com
780	VAULTF~1.EXE
2596	svchost.com
1104	VAULTF~1.EXE
2788	svchost.com
400	VAULTF~1.EXE
1980	svchost.com
2076	VAULTF~1.EXE
2696	svchost.com
1216	VAULTF~1.EXE
2816	svchost.com
2740	VAULTF~1.EXE
2860	svchost.com
2832	VAULTF~1.EXE
2648	svchost.com
3004	VAULTF~1.EXE
2632	svchost.com
1752	VAULTF~1.EXE
2104	svchost.com
2500	VAULTF~1.EXE
1492	svchost.com
2876	VAULTF~1.EXE
1640	svchost.com
2700	VAULTF~1.EXE
2880	svchost.com
976	VAULTF~1.EXE
2868	svchost.com
2924	VAULTF~1.EXE
1992	svchost.com
2068	VAULTF~1.EXE
2992	svchost.com
2708	VAULTF~1.EXE
1996	svchost.com
2568	VAULTF~1.EXE
1336	svchost.com
448	VAULTF~1.EXE
2380	svchost.com
2136	VAULTF~1.EXE
1028	svchost.com
1108	VAULTF~1.EXE
1764	svchost.com
2300	VAULTF~1.EXE
1676	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
1924	vaultFile11006347749467126253.exe
1924	vaultFile11006347749467126253.exe
1216	svchost.com
1216	svchost.com
2756	svchost.com
2756	svchost.com
2736	svchost.com
2736	svchost.com
2748	svchost.com
2748	svchost.com
2312	svchost.com
2312	svchost.com
2040	svchost.com
2040	svchost.com
1924	vaultFile11006347749467126253.exe
1456	vaultFile11006347749467126253.exe
592	svchost.com
592	svchost.com
2148	svchost.com
2148	svchost.com
2932	svchost.com
2932	svchost.com
1880	svchost.com
1880	svchost.com
1860	svchost.com
1860	svchost.com
2596	svchost.com
2596	svchost.com
1456	vaultFile11006347749467126253.exe
2788	svchost.com
2788	svchost.com
1980	svchost.com
1980	svchost.com
1456	vaultFile11006347749467126253.exe
2696	svchost.com
2696	svchost.com
1456	vaultFile11006347749467126253.exe
2816	svchost.com
2816	svchost.com
2860	svchost.com
2860	svchost.com
2648	svchost.com
2648	svchost.com
2632	svchost.com
2632	svchost.com
2104	svchost.com
2104	svchost.com
1492	svchost.com
1492	svchost.com
1640	svchost.com
1640	svchost.com
2880	svchost.com
2880	svchost.com
2868	svchost.com
2868	svchost.com
1992	svchost.com
1992	svchost.com
2992	svchost.com
2992	svchost.com
1996	svchost.com
1996	svchost.com
1336	svchost.com
1336	svchost.com
2380	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vaultFile11006347749467126253.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vaultFile11006347749467126253.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vaultFile11006347749467126253.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	VAULTF~1.EXE
File opened for modification	C:\Windows\svchost.com	VAULTF~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VAULTF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vaultFile11006347749467126253.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1456	1924	vaultFile11006347749467126253.exe	30
PID 1924 wrote to memory of 1456	1924	vaultFile11006347749467126253.exe	30
PID 1924 wrote to memory of 1456	1924	vaultFile11006347749467126253.exe	30
PID 1924 wrote to memory of 1456	1924	vaultFile11006347749467126253.exe	30
PID 1456 wrote to memory of 1216	1456	vaultFile11006347749467126253.exe	31
PID 1456 wrote to memory of 1216	1456	vaultFile11006347749467126253.exe	31
PID 1456 wrote to memory of 1216	1456	vaultFile11006347749467126253.exe	31
PID 1456 wrote to memory of 1216	1456	vaultFile11006347749467126253.exe	31
PID 1216 wrote to memory of 2216	1216	svchost.com	32
PID 1216 wrote to memory of 2216	1216	svchost.com	32
PID 1216 wrote to memory of 2216	1216	svchost.com	32
PID 1216 wrote to memory of 2216	1216	svchost.com	32
PID 2216 wrote to memory of 2756	2216	VAULTF~1.EXE	33
PID 2216 wrote to memory of 2756	2216	VAULTF~1.EXE	33
PID 2216 wrote to memory of 2756	2216	VAULTF~1.EXE	33
PID 2216 wrote to memory of 2756	2216	VAULTF~1.EXE	33
PID 2756 wrote to memory of 2860	2756	svchost.com	63
PID 2756 wrote to memory of 2860	2756	svchost.com	63
PID 2756 wrote to memory of 2860	2756	svchost.com	63
PID 2756 wrote to memory of 2860	2756	svchost.com	63
PID 2860 wrote to memory of 2736	2860	VAULTF~1.EXE	35
PID 2860 wrote to memory of 2736	2860	VAULTF~1.EXE	35
PID 2860 wrote to memory of 2736	2860	VAULTF~1.EXE	35
PID 2860 wrote to memory of 2736	2860	VAULTF~1.EXE	35
PID 2736 wrote to memory of 3004	2736	svchost.com	66
PID 2736 wrote to memory of 3004	2736	svchost.com	66
PID 2736 wrote to memory of 3004	2736	svchost.com	66
PID 2736 wrote to memory of 3004	2736	svchost.com	66
PID 3004 wrote to memory of 2748	3004	VAULTF~1.EXE	37
PID 3004 wrote to memory of 2748	3004	VAULTF~1.EXE	37
PID 3004 wrote to memory of 2748	3004	VAULTF~1.EXE	37
PID 3004 wrote to memory of 2748	3004	VAULTF~1.EXE	37
PID 2748 wrote to memory of 2644	2748	svchost.com	38
PID 2748 wrote to memory of 2644	2748	svchost.com	38
PID 2748 wrote to memory of 2644	2748	svchost.com	38
PID 2748 wrote to memory of 2644	2748	svchost.com	38
PID 2644 wrote to memory of 2312	2644	VAULTF~1.EXE	39
PID 2644 wrote to memory of 2312	2644	VAULTF~1.EXE	39
PID 2644 wrote to memory of 2312	2644	VAULTF~1.EXE	39
PID 2644 wrote to memory of 2312	2644	VAULTF~1.EXE	39
PID 2312 wrote to memory of 2672	2312	svchost.com	40
PID 2312 wrote to memory of 2672	2312	svchost.com	40
PID 2312 wrote to memory of 2672	2312	svchost.com	40
PID 2312 wrote to memory of 2672	2312	svchost.com	40
PID 2672 wrote to memory of 2040	2672	VAULTF~1.EXE	41
PID 2672 wrote to memory of 2040	2672	VAULTF~1.EXE	41
PID 2672 wrote to memory of 2040	2672	VAULTF~1.EXE	41
PID 2672 wrote to memory of 2040	2672	VAULTF~1.EXE	41
PID 2040 wrote to memory of 2868	2040	svchost.com	77
PID 2040 wrote to memory of 2868	2040	svchost.com	77
PID 2040 wrote to memory of 2868	2040	svchost.com	77
PID 2040 wrote to memory of 2868	2040	svchost.com	77
PID 2868 wrote to memory of 592	2868	VAULTF~1.EXE	130
PID 2868 wrote to memory of 592	2868	VAULTF~1.EXE	130
PID 2868 wrote to memory of 592	2868	VAULTF~1.EXE	130
PID 2868 wrote to memory of 592	2868	VAULTF~1.EXE	130
PID 592 wrote to memory of 2000	592	svchost.com	44
PID 592 wrote to memory of 2000	592	svchost.com	44
PID 592 wrote to memory of 2000	592	svchost.com	44
PID 592 wrote to memory of 2000	592	svchost.com	44
PID 2000 wrote to memory of 2148	2000	VAULTF~1.EXE	45
PID 2000 wrote to memory of 2148	2000	VAULTF~1.EXE	45
PID 2000 wrote to memory of 2148	2000	VAULTF~1.EXE	45
PID 2000 wrote to memory of 2148	2000	VAULTF~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\vaultFile11006347749467126253.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile11006347749467126253.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\3582-490\vaultFile11006347749467126253.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\vaultFile11006347749467126253.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        66⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        67⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        68⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        70⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        71⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        73⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        74⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        75⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        78⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        80⤵
        
        PID:1216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        81⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        82⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        84⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        85⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        87⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        88⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        89⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        90⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        92⤵
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        93⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        95⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        98⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        99⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        100⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        101⤵
        Drops file in Windows directory
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        102⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        103⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        104⤵
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        105⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        106⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        107⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        108⤵
        Drops file in Windows directory
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        109⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        110⤵
        
        PID:284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        111⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        112⤵
        
        PID:1388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        114⤵
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        115⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        116⤵
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        119⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        120⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        121⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        122⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        123⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        124⤵
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        125⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        126⤵
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        127⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        128⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        129⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        131⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        132⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        134⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        135⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        136⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        137⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        138⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        139⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        140⤵
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        141⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        142⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        144⤵
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        145⤵
        Drops file in Windows directory
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        147⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        148⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        149⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        150⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        152⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        153⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        154⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        155⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        156⤵
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        157⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        158⤵
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        159⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        160⤵
        
        PID:1628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        161⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        162⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        163⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        164⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        165⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        166⤵
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        168⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        169⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        170⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        171⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        172⤵
        Drops file in Windows directory
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        174⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        176⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        177⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        178⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        179⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        180⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        181⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        182⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        183⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        185⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        186⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        187⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        188⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        189⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        190⤵
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        191⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        192⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        193⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        194⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        195⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        196⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        197⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        198⤵
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        199⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        200⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        202⤵
        Drops file in Windows directory
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        203⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        204⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        205⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        206⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        207⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        208⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        209⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        210⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        212⤵
        
        PID:1628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        213⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        214⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        215⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        216⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        217⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        218⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        219⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        220⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        221⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        223⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        224⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        225⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        226⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        227⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        229⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        230⤵
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        231⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        232⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        233⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        234⤵
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        235⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        236⤵
        
        PID:284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        237⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        238⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        239⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        240⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        241⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        242⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        243⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        244⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        245⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        246⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        247⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        249⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        250⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        252⤵
        
        PID:960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        253⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        254⤵
        Drops file in Windows directory
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        255⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        256⤵
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        257⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        258⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        259⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        260⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        261⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        262⤵
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        263⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        264⤵
        Drops file in Windows directory
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        265⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        266⤵
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        268⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        270⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        271⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        272⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        273⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        275⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        277⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        281⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        282⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        283⤵
        Drops file in Windows directory
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        284⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        285⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        286⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        287⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        288⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        289⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        290⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        291⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        294⤵
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        295⤵
        Drops file in Windows directory
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        297⤵
        Drops file in Windows directory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        298⤵
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        299⤵
        Drops file in Windows directory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        301⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        302⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        303⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        304⤵
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        305⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        306⤵
        
        PID:944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        307⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        308⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        309⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        310⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        312⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        313⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        314⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        315⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        316⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        317⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        318⤵
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        319⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        320⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        321⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        322⤵
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        323⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        324⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        325⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        326⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        327⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        328⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        331⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        332⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        333⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        334⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        335⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        336⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        337⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        338⤵
        
        PID:804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        339⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        340⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        341⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        343⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        344⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        345⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        346⤵
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        347⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        349⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        350⤵
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        351⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        352⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        355⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        356⤵
        
        PID:1880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        357⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        358⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        360⤵
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        361⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        363⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        364⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        365⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        366⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        367⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        368⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        369⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        370⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        371⤵
        Drops file in Windows directory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        372⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        373⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        374⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        375⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        376⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        377⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        378⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        379⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        380⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        381⤵
        Drops file in Windows directory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        383⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        384⤵
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        385⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        386⤵
        Drops file in Windows directory
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        388⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        389⤵
        Drops file in Windows directory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        390⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        391⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        392⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        393⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        394⤵
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        395⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        396⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        397⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        398⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        399⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        400⤵
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        401⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        402⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        403⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        404⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        405⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        406⤵
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        407⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        408⤵
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        409⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        410⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        411⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        412⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        413⤵
        Drops file in Windows directory
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        414⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        415⤵
        Drops file in Windows directory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        416⤵
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        417⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        418⤵
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        419⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        420⤵
        Drops file in Windows directory
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        421⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        422⤵
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        423⤵
        Drops file in Windows directory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        424⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        425⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        426⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        427⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        428⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        430⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        431⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        432⤵
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        433⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        434⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        435⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        436⤵
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        437⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        438⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        439⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        440⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        441⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        442⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        443⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        444⤵
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        445⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        446⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        447⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        448⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        449⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        450⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        451⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        452⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        453⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        454⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        455⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        456⤵
        
        PID:316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        457⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        458⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        459⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        460⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        461⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        462⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        463⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        464⤵
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        465⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        466⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        467⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        468⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        469⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        470⤵
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        471⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        472⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        473⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        474⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        475⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        476⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        477⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        478⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        479⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        480⤵
        
        PID:2760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        481⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        482⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        483⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        484⤵
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        485⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        486⤵
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        487⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        488⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        489⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        490⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        491⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        492⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        493⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        494⤵
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        495⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        496⤵
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        497⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        498⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        499⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        500⤵
        
        PID:1188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        501⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        502⤵
        
        PID:348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        503⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        504⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        505⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        506⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        507⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        508⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        509⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        510⤵
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        511⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        512⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        513⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        514⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        515⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        516⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        517⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        518⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        519⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        520⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        521⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        522⤵
        
        PID:496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        523⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        524⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        525⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        526⤵
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        527⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        528⤵
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        529⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        530⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        531⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        532⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        533⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE
        534⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\VAULTF~1.EXE"
        535⤵
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
326KB

MD5
eafb5c9e718ec9f053f0262ab1c9ddd2

SHA1
573d3cd44bbb7863e0ef5226d90cbd2375282f2a

SHA256
56fc9ee5ebfc6b6eec9ef43c21ab24349fc0890eb783b2e1eddaa53770f11877

SHA512
e7d6a5efdb35543e1dc940a198119bd0f3ed9740bc36465232a4f66c03cbecbfe61a109f181b758113ce4c71253766698a493763abccc9fb0ce2c47ff8b31d7a

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
354KB

MD5
c7021f05bd12860e1d3350f0a444f99a

SHA1
747241c3429076691338dceb1672080829b662e7

SHA256
db106d65f64f3cff8d79fba4b7aff6436ed8d4972bae7a7be19d4b6fbc5db92a

SHA512
de937f0c8e8ad97aa3528314f0cc1406808a5b3ef9f0b32cb7554adb1e0a15ca1e6ec7cd40bfeea9772cb87bb9716b4cc8d9cdf94a0dd696dcc3648f5795afa0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
8d8c83a9d87bc0227d6633b88f2b0e87

SHA1
513a162aaf7ffa103e567b7de0d76d94e69ab9cb

SHA256
8407630072142d730093a9faf803c28d9540303967677a7509fd73d1f20d16a7

SHA512
827e34fef2c6d86a7bdf1d4a178fa8dbf085b452a8938c5d1cb1013e2a9e6d1a8101801a0e9cbe4cc3be79211fc912ab453205eaa2604b1628b6674a62ec936c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
422KB

MD5
0da2d682733a37ac0eff5886129e9192

SHA1
5c7def546e6e3a0fa55df37d7a0f9270ebc6119e

SHA256
ea67f9e673e395dce99a8e4ca5b755c4556ab7031e24f79762d6a59fbc8110fe

SHA512
1a9986d648f2fb77767bd267a0fa6a1a4c24f39a7a064ce3012a9110c9f087a2f367741d1039976d7848b72bece481b8597cb7acdc2ce72d710a17f7121ff2f6

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
178KB

MD5
6570f18406183e572b1f8d4cea13bc66

SHA1
838e8537f613a33d9828defeb4cb1af2f8ed5f2b

SHA256
0466a343fc8ec05657758df972183869b74dd15936f9ac18663462128c88be64

SHA512
0b6807b721ec3934de420498014be32d1cb66d2d6ccb57f86b996d4423a7fa9d719f864317ffe1d48ca7c2bc5a72cb7b93f32fa03d09f144b1dba8006e0ebdf4

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
e4e0aca2d9d108e1ab4c0e8b960268ad

SHA1
647caea0aba2a9acb93c4b6b253433497fc34d97

SHA256
2251f16f0d964180a34525678c0875fd75b892b169b025c3ca94711095172822

SHA512
461b86b894144ee04807cf7a80cee83bcc086f3f0c24dc8459833c6042160d47c8268d06fd926adb0b401ca8b98229af30ee1552fd2447311c5be9670e0cb3a1

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
171KB

MD5
74b2a0f7b9638b356fd6d016f1d26e9d

SHA1
e7de80ef91c4072e68ec6560b84da68809b440e8

SHA256
05ddd7ecdde93e8d5f067a85e99b622f3c0431e367b3761a83f988a59871f0fb

SHA512
e6c07f15ee29250948c2b6767cf1e91416f1d3ee87e6e169b9f6d5b9303314aefd1857ab07f934d75ea2674ab674c32d247de5c5b38cfb792d26432734f3f8e1

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
859KB

MD5
cf969ebf8763e06c41c3456c65e1a635

SHA1
290b7a3e281c5576360005f0d1d1a470f0eb171b

SHA256
05a85b9b73501f91a6173c2a3cc30892ed16537ee25da65cde8e1491170eaaea

SHA512
71ddb540348fcf1f5467baa3975b731331e9a78d613aa16f7c12b1956707e3de5ba26240fef88c191f4b08c3cae964c2493784f4a082b33e1363e4ac2246e327

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

Filesize
588KB

MD5
c275134502929608464f4400dd4971ab

SHA1
107b91a5249425c83700d64aff4b57652039699d

SHA256
ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831

SHA512
913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
fe8fcc8ac81c9756d7fe806ccb72c44d

SHA1
5a72ac1f1e7e4552152fa99f4a4005bce5aa3ff9

SHA256
5dc7ed47b3b537eff886d40eea223c91660bfbaed793db83168cbfa9e02cb66d

SHA512
193be7cc93e5822fe06e55524d20c0b26d17531c32dbfa568eb69a002be7915ce8677e2ba679b373690046cb9c9c8ffb197e6f772d0dc3aa5fecade49c18ef49

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
198KB

MD5
f562021a3a2e1a11351e0b6da28be149

SHA1
b591c3f6647b7d8ec0a45c7cddbd69eaf4d07e7e

SHA256
58abcadd2bff81ed5fd90e3b16f7339ca7bdae6b3058709ef72d5879da57618c

SHA512
802b396422608ec1f8c49c957af04d8a77b42ae6d37914257268ab0bc52fe841a10bae1fd53fd8d9d5b4165e133787833f6d6c38b28ac4c31f54eebdf527b1ef

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
6673bf4673f85cdf3903a959bfea7c0b

SHA1
825c3388dadd6a7b77097fbad16df7f404dcaa23

SHA256
79d27a18314ca8e9e54194c89d99c2670c19ec90ed0945c81e7abce354e098cc

SHA512
ca5bb0c3be9a9eb38e235c37a2259a3152e6a296ee6d58b39f8e0c1462bafb5ed43318e40e4c794193b22f540be0d2fab3c9f78360cc1436587159e9b576cda4

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
2cdb1c5fe5dc34f88a0742c4b0a24b1e

SHA1
6b878987c0e7be8bbabe5842770bf9c76455bdfb

SHA256
70e77cfe0fd300ffb1cfd9386af66964399a8ec32fe4909f107f93dc66ea4ebe

SHA512
06b4a98b3a6080e0382262ef89fc6ce40f76956684825f923a2f96706771ca39acbca4308828933702e0ec6e5afc70aeae4eb295eef270e584b136ff64e8f1b4

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vaultFile11006347749467126253.exe

Filesize
4.0MB

MD5
389f40414644e2d908999537a12f5ee6

SHA1
cfe5eb439cee83017695d2e21af3f363269d6577

SHA256
bbb3647ae8217b8314479dca4b7c03624d16f71379e2abc4688bb3fcfc268f46

SHA512
e7388549284c126055e4b46520581fffd78c5e128949c88b60192f7ae8ea29225e08179a2aa9a9bb4fc4f14ed0a1106a6ca01e8807d45a47a5dd847ae3d5ad2e

Download Submit
memory/400-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/448-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/592-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/780-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/976-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1028-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-196-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1336-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1396-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1644-426-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1868-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1992-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2068-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2148-194-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2300-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2832-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads