neshta | 1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
Size

3.8MB
MD5

0e2672b7471cd2eb1a8d6b324192eac7
SHA1

25d8f4c9c25188dc61c3d4fd7e46de80d5f4d542
SHA256

1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5
SHA512

d827a62640f255976685fafff69d1ae1f4c9d198e622d3eaf864e89f738295464ee89724fcb45d662a67527faf2ba369b19109be0dd1d7740056f229817dd43c
SSDEEP

49152:CjP3KQLTi1GL6tSXAt9J4W+8Z0+0GD0AGeuVEusJ6LNzOeL0GKVIeCjF826If2y:0S3lSeuVlcm7fOKA

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x000f000000015677-2.dat	family_neshta
behavioral1/files/0x0001000000010314-20.dat	family_neshta
behavioral1/files/0x0001000000010312-19.dat	family_neshta
behavioral1/files/0x000100000000f872-96.dat	family_neshta
behavioral1/memory/1492-77-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7e6-81.dat	family_neshta
behavioral1/memory/2200-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0008000000015685-73.dat	family_neshta
behavioral1/files/0x000100000000f776-72.dat	family_neshta
behavioral1/memory/592-59-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3044-58-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010b94-101.dat	family_neshta
behavioral1/files/0x0001000000010366-104.dat	family_neshta
behavioral1/files/0x00010000000114c6-98.dat	family_neshta
behavioral1/files/0x0001000000010c12-107.dat	family_neshta
behavioral1/files/0x0001000000010f30-113.dat	family_neshta
behavioral1/files/0x00010000000118e3-119.dat	family_neshta
behavioral1/files/0x00010000000118ea-122.dat	family_neshta
behavioral1/files/0x0001000000011876-116.dat	family_neshta
behavioral1/files/0x0001000000011a18-125.dat	family_neshta
behavioral1/files/0x00010000000103d9-128.dat	family_neshta
behavioral1/files/0x00010000000117fc-110.dat	family_neshta
behavioral1/files/0x00010000000108f6-134.dat	family_neshta
behavioral1/memory/2608-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000300000001215c-137.dat	family_neshta
behavioral1/files/0x000300000001219c-146.dat	family_neshta
behavioral1/files/0x000300000001215b-152.dat	family_neshta
behavioral1/files/0x000300000001219a-158.dat	family_neshta
behavioral1/files/0x000300000001219d-155.dat	family_neshta
behavioral1/files/0x000300000001215e-149.dat	family_neshta
behavioral1/files/0x000300000001215d-140.dat	family_neshta
behavioral1/memory/2604-45-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2584-31-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2312-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010693-161.dat	family_neshta
behavioral1/files/0x0002000000010924-164.dat	family_neshta
behavioral1/files/0x000100000001070c-18.dat	family_neshta
behavioral1/files/0x00010000000107e5-17.dat	family_neshta
behavioral1/memory/2188-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1996-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/664-194-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1092-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1528-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2256-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1780-231-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2484-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/652-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1276-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2512-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/584-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2280-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1000-254-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2980-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2524-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2932-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1556-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2780-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2588-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-297-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1396-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2816-305-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/588-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2236-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
2312	svchost.com
2584	1762A0~1.EXE
2604	svchost.com
2608	1762A0~1.EXE
3044	svchost.com
592	1762A0~1.EXE
1492	svchost.com
2200	1762A0~1.EXE
2188	svchost.com
1996	1762A0~1.EXE
664	svchost.com
1092	1762A0~1.EXE
1528	svchost.com
2256	1762A0~1.EXE
1780	svchost.com
2484	1762A0~1.EXE
652	svchost.com
1276	1762A0~1.EXE
2512	svchost.com
584	1762A0~1.EXE
2280	svchost.com
1000	1762A0~1.EXE
2524	svchost.com
2980	1762A0~1.EXE
1556	svchost.com
2932	1762A0~1.EXE
2780	svchost.com
2728	1762A0~1.EXE
2588	svchost.com
1700	1762A0~1.EXE
1396	svchost.com
2816	1762A0~1.EXE
588	svchost.com
2236	1762A0~1.EXE
1804	svchost.com
2876	1762A0~1.EXE
1344	svchost.com
2712	1762A0~1.EXE
2664	svchost.com
2016	1762A0~1.EXE
2592	svchost.com
2848	1762A0~1.EXE
1632	svchost.com
2000	1762A0~1.EXE
2908	svchost.com
2956	1762A0~1.EXE
2948	svchost.com
2216	1762A0~1.EXE
2128	svchost.com
2108	1762A0~1.EXE
672	svchost.com
2632	1762A0~1.EXE
2036	svchost.com
2196	1762A0~1.EXE
1204	svchost.com
1964	1762A0~1.EXE
1056	svchost.com
1684	1762A0~1.EXE
1288	svchost.com
772	1762A0~1.EXE
1528	svchost.com
1676	1762A0~1.EXE
1068	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
2312	svchost.com
2312	svchost.com
2604	svchost.com
2604	svchost.com
3044	svchost.com
3044	svchost.com
1492	svchost.com
1492	svchost.com
2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
2188	svchost.com
2188	svchost.com
664	svchost.com
664	svchost.com
1528	svchost.com
1528	svchost.com
1780	svchost.com
1780	svchost.com
652	svchost.com
652	svchost.com
2512	svchost.com
2512	svchost.com
2280	svchost.com
2280	svchost.com
2524	svchost.com
2524	svchost.com
1556	svchost.com
1556	svchost.com
2780	svchost.com
2780	svchost.com
2588	svchost.com
2588	svchost.com
1396	svchost.com
1396	svchost.com
588	svchost.com
588	svchost.com
1804	svchost.com
1804	svchost.com
1344	svchost.com
1344	svchost.com
2664	svchost.com
2664	svchost.com
2592	svchost.com
2592	svchost.com
1632	svchost.com
1632	svchost.com
2908	svchost.com
2908	svchost.com
2948	svchost.com
2948	svchost.com
2128	svchost.com
2128	svchost.com
672	svchost.com
672	svchost.com
2036	svchost.com
2036	svchost.com
1204	svchost.com
1204	svchost.com
1056	svchost.com
1056	svchost.com
1288	svchost.com
1288	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1762A0~1.EXE
File opened for modification	C:\Windows\svchost.com	1762A0~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1762A0~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2772	2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	30
PID 2668 wrote to memory of 2772	2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	30
PID 2668 wrote to memory of 2772	2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	30
PID 2668 wrote to memory of 2772	2668	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	30
PID 2772 wrote to memory of 2312	2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	31
PID 2772 wrote to memory of 2312	2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	31
PID 2772 wrote to memory of 2312	2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	31
PID 2772 wrote to memory of 2312	2772	1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe	31
PID 2312 wrote to memory of 2584	2312	svchost.com	32
PID 2312 wrote to memory of 2584	2312	svchost.com	32
PID 2312 wrote to memory of 2584	2312	svchost.com	32
PID 2312 wrote to memory of 2584	2312	svchost.com	32
PID 2584 wrote to memory of 2604	2584	1762A0~1.EXE	33
PID 2584 wrote to memory of 2604	2584	1762A0~1.EXE	33
PID 2584 wrote to memory of 2604	2584	1762A0~1.EXE	33
PID 2584 wrote to memory of 2604	2584	1762A0~1.EXE	33
PID 2604 wrote to memory of 2608	2604	svchost.com	34
PID 2604 wrote to memory of 2608	2604	svchost.com	34
PID 2604 wrote to memory of 2608	2604	svchost.com	34
PID 2604 wrote to memory of 2608	2604	svchost.com	34
PID 2608 wrote to memory of 3044	2608	1762A0~1.EXE	35
PID 2608 wrote to memory of 3044	2608	1762A0~1.EXE	35
PID 2608 wrote to memory of 3044	2608	1762A0~1.EXE	35
PID 2608 wrote to memory of 3044	2608	1762A0~1.EXE	35
PID 3044 wrote to memory of 592	3044	svchost.com	36
PID 3044 wrote to memory of 592	3044	svchost.com	36
PID 3044 wrote to memory of 592	3044	svchost.com	36
PID 3044 wrote to memory of 592	3044	svchost.com	36
PID 592 wrote to memory of 1492	592	1762A0~1.EXE	37
PID 592 wrote to memory of 1492	592	1762A0~1.EXE	37
PID 592 wrote to memory of 1492	592	1762A0~1.EXE	37
PID 592 wrote to memory of 1492	592	1762A0~1.EXE	37
PID 1492 wrote to memory of 2200	1492	svchost.com	38
PID 1492 wrote to memory of 2200	1492	svchost.com	38
PID 1492 wrote to memory of 2200	1492	svchost.com	38
PID 1492 wrote to memory of 2200	1492	svchost.com	38
PID 2200 wrote to memory of 2188	2200	1762A0~1.EXE	39
PID 2200 wrote to memory of 2188	2200	1762A0~1.EXE	39
PID 2200 wrote to memory of 2188	2200	1762A0~1.EXE	39
PID 2200 wrote to memory of 2188	2200	1762A0~1.EXE	39
PID 2188 wrote to memory of 1996	2188	svchost.com	40
PID 2188 wrote to memory of 1996	2188	svchost.com	40
PID 2188 wrote to memory of 1996	2188	svchost.com	40
PID 2188 wrote to memory of 1996	2188	svchost.com	40
PID 1996 wrote to memory of 664	1996	1762A0~1.EXE	41
PID 1996 wrote to memory of 664	1996	1762A0~1.EXE	41
PID 1996 wrote to memory of 664	1996	1762A0~1.EXE	41
PID 1996 wrote to memory of 664	1996	1762A0~1.EXE	41
PID 664 wrote to memory of 1092	664	svchost.com	42
PID 664 wrote to memory of 1092	664	svchost.com	42
PID 664 wrote to memory of 1092	664	svchost.com	42
PID 664 wrote to memory of 1092	664	svchost.com	42
PID 1092 wrote to memory of 1528	1092	1762A0~1.EXE	91
PID 1092 wrote to memory of 1528	1092	1762A0~1.EXE	91
PID 1092 wrote to memory of 1528	1092	1762A0~1.EXE	91
PID 1092 wrote to memory of 1528	1092	1762A0~1.EXE	91
PID 1528 wrote to memory of 2256	1528	svchost.com	44
PID 1528 wrote to memory of 2256	1528	svchost.com	44
PID 1528 wrote to memory of 2256	1528	svchost.com	44
PID 1528 wrote to memory of 2256	1528	svchost.com	44
PID 2256 wrote to memory of 1780	2256	1762A0~1.EXE	45
PID 2256 wrote to memory of 1780	2256	1762A0~1.EXE	45
PID 2256 wrote to memory of 1780	2256	1762A0~1.EXE	45
PID 2256 wrote to memory of 1780	2256	1762A0~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
"C:\Users\Admin\AppData\Local\Temp\1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\3582-490\1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        61⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        66⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        67⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        68⤵
        Drops file in Windows directory
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        69⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        70⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        71⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        72⤵
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        73⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        74⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        75⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        76⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        77⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        78⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        80⤵
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        81⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        82⤵
        Drops file in Windows directory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        83⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        84⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        85⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        86⤵
        
        PID:1412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        87⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        88⤵
        Drops file in Windows directory
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        90⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        91⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        93⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        94⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        95⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        100⤵
        
        PID:264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        101⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        102⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        103⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        104⤵
        
        PID:444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        105⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        106⤵
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        107⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        108⤵
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        109⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        110⤵
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        111⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        112⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        113⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        114⤵
        Drops file in Windows directory
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        115⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        116⤵
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        118⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        120⤵
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        121⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        122⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        123⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        124⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        125⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        126⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        127⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        128⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        129⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        130⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        132⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        133⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        134⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        135⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        136⤵
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        137⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        138⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        139⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        141⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        143⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        144⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        145⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        146⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        148⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        149⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        150⤵
        
        PID:444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        151⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        153⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        154⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        155⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        156⤵
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        158⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        159⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        160⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        163⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        164⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        165⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        169⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        170⤵
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        171⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        172⤵
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        173⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        174⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        175⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        176⤵
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        177⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        179⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        180⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        181⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        182⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        183⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        186⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        187⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        188⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        189⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        193⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        194⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        195⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        196⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        197⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        198⤵
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        200⤵
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        201⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        203⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        204⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        205⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        206⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        207⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        209⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        210⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        211⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        213⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        214⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        215⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        216⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        217⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        218⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        219⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        220⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        221⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        222⤵
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        223⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        224⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        227⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        228⤵
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        229⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        231⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        232⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        233⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        234⤵
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        235⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        236⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        237⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        238⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        240⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        241⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        243⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        244⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        245⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        246⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        247⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        248⤵
        
        PID:1288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        249⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        250⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        251⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        252⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        253⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        254⤵
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        255⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        256⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        257⤵
        Drops file in Windows directory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        258⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        260⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        261⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        265⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        267⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        268⤵
        
        PID:480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        269⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        270⤵
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        276⤵
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        277⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        278⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        281⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        282⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        283⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        284⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        285⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        286⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        287⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        288⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        290⤵
        
        PID:664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        291⤵
        Drops file in Windows directory
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        292⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        296⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        297⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        298⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        302⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        303⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        304⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        305⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        306⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        307⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        308⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        310⤵
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        311⤵
        Drops file in Windows directory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        312⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        313⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        314⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        315⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        316⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        317⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        318⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        319⤵
        Drops file in Windows directory
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        323⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        324⤵
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        327⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        328⤵
        Drops file in Windows directory
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        330⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        331⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        332⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        333⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        334⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        336⤵
        
        PID:444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        337⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        338⤵
        Drops file in Windows directory
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        339⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        340⤵
        
        PID:280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        341⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        344⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        345⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        346⤵
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        347⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        348⤵
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        349⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        350⤵
        Drops file in Windows directory
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        351⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        352⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        353⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        354⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        355⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        356⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        357⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        359⤵
        Drops file in Windows directory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        360⤵
        Drops file in Windows directory
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        362⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        364⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        365⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        366⤵
        
        PID:544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        367⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        368⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        369⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        370⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        371⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        372⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE"
        373⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1762A0~1.EXE
        374⤵
        
        PID:856

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
140KB

MD5
e584c29c854081c78a366fbcc6f7f84c

SHA1
32b7e552e5916b43d57d7b088c543b77f1067338

SHA256
b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450

SHA512
c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
859KB

MD5
cf969ebf8763e06c41c3456c65e1a635

SHA1
290b7a3e281c5576360005f0d1d1a470f0eb171b

SHA256
05a85b9b73501f91a6173c2a3cc30892ed16537ee25da65cde8e1491170eaaea

SHA512
71ddb540348fcf1f5467baa3975b731331e9a78d613aa16f7c12b1956707e3de5ba26240fef88c191f4b08c3cae964c2493784f4a082b33e1363e4ac2246e327

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

Filesize
588KB

MD5
c275134502929608464f4400dd4971ab

SHA1
107b91a5249425c83700d64aff4b57652039699d

SHA256
ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831

SHA512
913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
fe8fcc8ac81c9756d7fe806ccb72c44d

SHA1
5a72ac1f1e7e4552152fa99f4a4005bce5aa3ff9

SHA256
5dc7ed47b3b537eff886d40eea223c91660bfbaed793db83168cbfa9e02cb66d

SHA512
193be7cc93e5822fe06e55524d20c0b26d17531c32dbfa568eb69a002be7915ce8677e2ba679b373690046cb9c9c8ffb197e6f772d0dc3aa5fecade49c18ef49

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
198KB

MD5
f562021a3a2e1a11351e0b6da28be149

SHA1
b591c3f6647b7d8ec0a45c7cddbd69eaf4d07e7e

SHA256
58abcadd2bff81ed5fd90e3b16f7339ca7bdae6b3058709ef72d5879da57618c

SHA512
802b396422608ec1f8c49c957af04d8a77b42ae6d37914257268ab0bc52fe841a10bae1fd53fd8d9d5b4165e133787833f6d6c38b28ac4c31f54eebdf527b1ef

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
6673bf4673f85cdf3903a959bfea7c0b

SHA1
825c3388dadd6a7b77097fbad16df7f404dcaa23

SHA256
79d27a18314ca8e9e54194c89d99c2670c19ec90ed0945c81e7abce354e098cc

SHA512
ca5bb0c3be9a9eb38e235c37a2259a3152e6a296ee6d58b39f8e0c1462bafb5ed43318e40e4c794193b22f540be0d2fab3c9f78360cc1436587159e9b576cda4

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
543KB

MD5
175f7d731cfa31541e21211e8b70a228

SHA1
822ac33bc53eb484d72bf563b90e3a4d227919c1

SHA256
4f80d4b9b5b2c5c3d5a78ee6771a02015d32bcecde995593e959d5ad660ea7ac

SHA512
a27d0dea374ca95405980568ae790f88503a2b0d7bf2481ea1bf396a9797ad16302978c8b7b3a37124fbf5fafd769c0581ae60234c9abef46e29548f3e670c8a

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
a5923ba4eea1202ecd968b7d0e62c862

SHA1
ec3561bcc4efb0151559cceec999da8ce3dcec52

SHA256
30c1313f51e141f70d68cab1ca19688718f68d9e37c294e8859cf768519d26fa

SHA512
42ada9a6dc99507fd13d029fa336c5d5d2ec2e797b746a541c2a8e6af96ae5621d9a1cae9d3d116524cf2ba59c1d144bb2607f430ebfb74d4bd7e7902c8d8efb

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
579KB

MD5
2499526fdab8d1de6f34002d88b70813

SHA1
fe54eaca2e24f7b7d1b9461df9e1bd3a24464c6e

SHA256
ee1d0a974df8522c31fce225b94f8f2a2c946b9516988aa86b670e6894526039

SHA512
84aac6a2574011a447dbd9d68318854869d7158d33d58c259a041f22445f759166830e843b708f5318c2ffbd7d706c025ec30a5d2db573c2dab744d98a0a2631

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
1.1MB

MD5
351e9c4419e64d8c2c792d20ddeeb05c

SHA1
af82903d205f851bf8609c93b2e826b409d93c15

SHA256
daf0dcc2523a2a0fdb56e699e5d3ee9453b877b6fbcd305cde16fb35bd88b3e2

SHA512
3f8c007e56bd43a1378a60a480449cdc53690bf9167103240c7e056cbde8dc08fb9cbe57974a9f35db8e60221809e0b4e49ace183f3997ed2f30841d4986d0c6

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
246KB

MD5
99a2deaf884241bb94cfe1d921a321e6

SHA1
8d0be6f7be2b558521640658bcc8b9738a599ad3

SHA256
ae35d246456036b8a0856775d182f44ac971bf8d0d6d8739d9401f81be3bb1e8

SHA512
dd7b2927cdf6f162ccb83f292c0416e3048325023c9dc11f811207c86fc4469d5293f304826b8e3fba598106adb0d76fc73e72f7c65d5ee2d5913f1905515431

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
226KB

MD5
61c4eb4385ee3530cb2022fe6fc5bc45

SHA1
551c8baeb6dac4470dbaf68091ad9b864c022e90

SHA256
9cdb825851f24e29737dfa6fd3f8dc1a314956b1224c8a438e614ca8229d1dfe

SHA512
a4a4dd302df0696c43765aec07df39d1dae7e4e9db7fc2e1c4df7cdf4ad88f6026d912d3be323d92e286b6e694cba9d81a50e6f52a037e30803c38d009963c9f

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
166KB

MD5
6ef5287cb255c1cc7f79efb0c269076c

SHA1
43510eb4ddd7a1785bf510d907928a4a910588dc

SHA256
1b6f43f5c3e639b3b994dc760454aff725d043b614a58d09090a5129507e1071

SHA512
d79c2e0621675405f732c57329469be30a9682b032f19140663be87c6e8850b3487e842b7fe301c8079a567770038823bfaabe3ce71e41ea721f893450d381c4

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
195KB

MD5
6806fc8c89466f5d31a9338604c93755

SHA1
f20e64b9d1c63235321fcea364d315095196dc8c

SHA256
2398a5ccfc6c2444d711a9ae0bcf1d2f2547b73ce132e9dd08281413ce7434f8

SHA512
78ba9c5d64bd523d50af37ddc919d45e29e4c48108db75002d7693ad144a4822f1b45da3c571fd3c4b9619be7a35d66202e30adbc78203f3a6fa5bb781748af5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
271KB

MD5
eadb2e7c90f5deabad2e2757622ddadd

SHA1
947a77f92ae3fcbdac42229f69ac5c4dcc3cf74e

SHA256
437dbdb218902cbf3bd4f1d5cfad46e2b0435ba7ae7d9de21d14bdd9206acbd2

SHA512
eecf366b56eb4c9d18cabed5ecf70c7541469537a96540fccc8277c44d94294a9195ced436c51faf70f6c2f51e81367a29032282beab55d2c55db030c92dcc43

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
195KB

MD5
447536dfc4ca012480b5a44f73c3252c

SHA1
a39774e0a90822ef4bb751909e882854ee218dc4

SHA256
935a1f621e27230a64aeacbd20b644bbc87799b33c414f2431aa7460ca9eaedd

SHA512
5e5d7e1fc05cb53cb953e076cca6102c5acf7ce9888c38b29204ef1e68b978373c440e22e909535dd4b3958ebdf405154e9bef7062500cd826f273b35433a4d4

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
305KB

MD5
ec73ca9f6105d3c696647afb815e4683

SHA1
08cdf07cb4cfb58c75ac7d28d7d12b604235618f

SHA256
a0f61fff90702092143409945a38041495cc4e43798f835e3947d6c7b7f70b45

SHA512
6dec731a684a5228268f54115eaf40a5c055f4ffc75b70e6ad23be304dcd604abd8c908f97ceabe4362eb2bf80aca166a7066c156f6bbc67db21e40cc9b2f45e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

Filesize
383KB

MD5
58b28a41ee1203ff9bbac0882dfd2594

SHA1
abfa6bb9d58ff69ee33977bf50c3af8c5e902340

SHA256
1f591a0fd7d1410783095c249550ed8ff6cbac950232422251109f664546edb8

SHA512
fc1a078ea7bee8976783a38aa819841c425db70626189091feeb351e4dd766d19908086940d893dad6470d55470d0c0f03f901ee04a4ac6f318d11a47f86efc6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
479KB

MD5
62d780624d5267f4c5bd2ea994655267

SHA1
823beccccec32aeb0222334cb733c5692eeaf5fe

SHA256
ed5ae575b64f73c4e5eba390ed4f3959d8b95ec2f72505cc436679b85379f8d8

SHA512
dea7f5d7f0ffae7604d6cfdf52208466c2b93d8113d6f715f6632bf064677dd30836a3ba3bb3bb4088828c073db8a7cbdcab106eb92f69e0b2569c54527ca7cb

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
248KB

MD5
863087d206bd42785c4d49facc32da19

SHA1
d9546a1ebbb0a8359d75ce930c03086c7d5823f4

SHA256
cce0b71faa0b880f11bddf648d6025d5816c7078006fa8c1e663ab957af20ea4

SHA512
8f696f910e451ddff26f1e083fe8a889694305ea3cc226bdbb1c64cd0b6ee8b15b382a0eee77be159f347f1bbe55d12e8a0e2d63777ab62a74e17c15968465af

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

Filesize
125KB

MD5
a8dadf93b223cb3c075204b0bd38c9c6

SHA1
41c4cf4e60dd6b2b3a09085af3f62f21914eba5b

SHA256
0b9faeceb83cfb2cbb2b04a5dc719288355ad3a221f4b413bc1a1d1bc5e335e0

SHA512
5d750b4ea23292859dda58dc81b82f234f00d0968f088e38353dd574caa43b4bd2f954750eb5135a20a8e934c7c12bd13c9badb653afc9483594b5f877c97031

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE

Filesize
1.4MB

MD5
34418ce9ed6c30b30897c61f55fc175d

SHA1
eea9a380f42a35a0e70a8ca3334776c2e3c1c4a6

SHA256
8f7773dead5f4e63c99068786047842d5a4fae7cd8b524a56f3d738b40434108

SHA512
fdbc37bef0511b3c937bee9ee2552ab71c75e9ff801f29e9219ec813b71c6da2332903c76344f507b1902a5f3a1f923e870b650d16113dd17766b5df4ab01687

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
cd54ec7903348b91f7bf4fb81264d4ed

SHA1
ae660e2c74b5351abb6797c1c988dbef59932a76

SHA256
a2ef724b06a69f87305ac38e116ec5e1eae9f795a0dbeb6c44677b85df02cbd6

SHA512
9789f8f0a9cc2fe8c683ced6cf585efff4e3cb098d66d2c1e40d2034a8dd4a96cdd89579e062bdf2b58fdfbab99d6f8cbce4599d83ad8b06e3e435b1451fc137

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
bbe7c2a598307f1959111956daa7d18d

SHA1
b5475cb967f67d394929ead4ebb9fc50a7bf9f09

SHA256
e8638156d8ffcd62d1310a66c97859d9d2a3cfa51bb2d68eff1fb3bb5e0b88fa

SHA512
24e2481d21c87a464478194213e7692d52631a626f4d7699d4d57f9fad6288353ecec52ac447d5fb6347269c381b35108fb191a7d39cdf1229df51a32ebe455d

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\1762a0a3de3d353469925c435ceafcfeebe005d3735386439ff0f0131f5925b5.exe

Filesize
3.8MB

MD5
901cb1b18380793fb1f7908bc300d4a8

SHA1
d6d979d72fbe70d2306b69c0fc1075680c37fa16

SHA256
7612a037ca60d654025c59242034bc59d9ede3885873054a113c9478e1ca100f

SHA512
69b21524dc29d8682a784cba147ac506e9da04ef419fcd48a57c0a2a315f5a83a50faed20051bbf6d82a37e4aafde0ec0d370f42881b6b94501e1492355f5c05

Download Submit
memory/584-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/588-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/592-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/652-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/664-194-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/772-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1000-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1056-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-434-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1204-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1276-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1288-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1396-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-426-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1556-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1632-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1780-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1804-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2280-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-433-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2588-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2908-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads