neshta | d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4

Analysis

max time kernel
115s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
Size

1.1MB
MD5

3819a3c01e3c206888e4e8575ec1dba8
SHA1

f46fcf2b667384e8ee3f607f134cafd6ad74ef74
SHA256

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4
SHA512

5e2e7ec436c1d67e0050d8e6bbc001075d289b9dc65829bd122894e0204ae45bc711130f71f8b3e33b11b897d8e88af670dba643fe7c7f697010b98e37fdafb2

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 38 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exesvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.com

pid	process
3976	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
4196	svchost.com
3080	D8EDEA~1.EXE
1300	svchost.com
4236	D8EDEA~1.EXE
2320	svchost.com
2996	D8EDEA~1.EXE
564	svchost.com
4428	D8EDEA~1.EXE
4508	svchost.com
1800	D8EDEA~1.EXE
2840	svchost.com
944	D8EDEA~1.EXE
4828	svchost.com
2464	D8EDEA~1.EXE
4120	svchost.com
32	D8EDEA~1.EXE
3632	svchost.com
2992	D8EDEA~1.EXE
2328	svchost.com
4456	D8EDEA~1.EXE
5076	svchost.com
5000	D8EDEA~1.EXE
4620	svchost.com
824	D8EDEA~1.EXE
2060	svchost.com
1836	D8EDEA~1.EXE
2548	svchost.com
1044	D8EDEA~1.EXE
2700	svchost.com
832	D8EDEA~1.EXE
1108	svchost.com
4060	D8EDEA~1.EXE
2232	svchost.com
2180	D8EDEA~1.EXE
2728	svchost.com
4908	D8EDEA~1.EXE
2476	D8EDEA~1.EXE
3920	D8EDEA~1.EXE
2644	svchost.com
3604	D8EDEA~1.EXE
444	svchost.com
2360	D8EDEA~1.EXE
3104	svchost.com
1804	D8EDEA~1.EXE
4920	svchost.com
540	D8EDEA~1.EXE
956	svchost.com
4964	D8EDEA~1.EXE
828	svchost.com
1424	D8EDEA~1.EXE
4804	svchost.com
4540	D8EDEA~1.EXE
4392	svchost.com
4500	D8EDEA~1.EXE
3408	svchost.com
4144	D8EDEA~1.EXE
3640	svchost.com
4600	D8EDEA~1.EXE
3112	svchost.com
4032	D8EDEA~1.EXE
4912	svchost.com
2464	D8EDEA~1.EXE
1484	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	D8EDEA~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exed8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Drops file in Windows directory 64 IoCs

Processes:

D8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comsvchost.comD8EDEA~1.EXEsvchost.comsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comD8EDEA~1.EXEsvchost.comsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comsvchost.comsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXEsvchost.comsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXED8EDEA~1.EXEsvchost.comD8EDEA~1.EXED8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\directx.sys	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D8EDEA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	D8EDEA~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exed8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exesvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXEsvchost.comD8EDEA~1.EXE

description	pid	process	target process
PID 548 wrote to memory of 3976	548	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
PID 548 wrote to memory of 3976	548	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
PID 548 wrote to memory of 3976	548	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
PID 3976 wrote to memory of 4196	3976	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	svchost.com
PID 3976 wrote to memory of 4196	3976	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	svchost.com
PID 3976 wrote to memory of 4196	3976	d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe	svchost.com
PID 4196 wrote to memory of 3080	4196	svchost.com	D8EDEA~1.EXE
PID 4196 wrote to memory of 3080	4196	svchost.com	D8EDEA~1.EXE
PID 4196 wrote to memory of 3080	4196	svchost.com	D8EDEA~1.EXE
PID 3080 wrote to memory of 1300	3080	D8EDEA~1.EXE	svchost.com
PID 3080 wrote to memory of 1300	3080	D8EDEA~1.EXE	svchost.com
PID 3080 wrote to memory of 1300	3080	D8EDEA~1.EXE	svchost.com
PID 1300 wrote to memory of 4236	1300	svchost.com	D8EDEA~1.EXE
PID 1300 wrote to memory of 4236	1300	svchost.com	D8EDEA~1.EXE
PID 1300 wrote to memory of 4236	1300	svchost.com	D8EDEA~1.EXE
PID 4236 wrote to memory of 2320	4236	D8EDEA~1.EXE	svchost.com
PID 4236 wrote to memory of 2320	4236	D8EDEA~1.EXE	svchost.com
PID 4236 wrote to memory of 2320	4236	D8EDEA~1.EXE	svchost.com
PID 2320 wrote to memory of 2996	2320	svchost.com	D8EDEA~1.EXE
PID 2320 wrote to memory of 2996	2320	svchost.com	D8EDEA~1.EXE
PID 2320 wrote to memory of 2996	2320	svchost.com	D8EDEA~1.EXE
PID 2996 wrote to memory of 564	2996	D8EDEA~1.EXE	svchost.com
PID 2996 wrote to memory of 564	2996	D8EDEA~1.EXE	svchost.com
PID 2996 wrote to memory of 564	2996	D8EDEA~1.EXE	svchost.com
PID 564 wrote to memory of 4428	564	svchost.com	D8EDEA~1.EXE
PID 564 wrote to memory of 4428	564	svchost.com	D8EDEA~1.EXE
PID 564 wrote to memory of 4428	564	svchost.com	D8EDEA~1.EXE
PID 4428 wrote to memory of 4508	4428	D8EDEA~1.EXE	svchost.com
PID 4428 wrote to memory of 4508	4428	D8EDEA~1.EXE	svchost.com
PID 4428 wrote to memory of 4508	4428	D8EDEA~1.EXE	svchost.com
PID 4508 wrote to memory of 1800	4508	svchost.com	D8EDEA~1.EXE
PID 4508 wrote to memory of 1800	4508	svchost.com	D8EDEA~1.EXE
PID 4508 wrote to memory of 1800	4508	svchost.com	D8EDEA~1.EXE
PID 1800 wrote to memory of 2840	1800	D8EDEA~1.EXE	svchost.com
PID 1800 wrote to memory of 2840	1800	D8EDEA~1.EXE	svchost.com
PID 1800 wrote to memory of 2840	1800	D8EDEA~1.EXE	svchost.com
PID 2840 wrote to memory of 944	2840	svchost.com	D8EDEA~1.EXE
PID 2840 wrote to memory of 944	2840	svchost.com	D8EDEA~1.EXE
PID 2840 wrote to memory of 944	2840	svchost.com	D8EDEA~1.EXE
PID 944 wrote to memory of 4828	944	D8EDEA~1.EXE	svchost.com
PID 944 wrote to memory of 4828	944	D8EDEA~1.EXE	svchost.com
PID 944 wrote to memory of 4828	944	D8EDEA~1.EXE	svchost.com
PID 4828 wrote to memory of 2464	4828	svchost.com	D8EDEA~1.EXE
PID 4828 wrote to memory of 2464	4828	svchost.com	D8EDEA~1.EXE
PID 4828 wrote to memory of 2464	4828	svchost.com	D8EDEA~1.EXE
PID 2464 wrote to memory of 4120	2464	D8EDEA~1.EXE	svchost.com
PID 2464 wrote to memory of 4120	2464	D8EDEA~1.EXE	svchost.com
PID 2464 wrote to memory of 4120	2464	D8EDEA~1.EXE	svchost.com
PID 4120 wrote to memory of 32	4120	svchost.com	D8EDEA~1.EXE
PID 4120 wrote to memory of 32	4120	svchost.com	D8EDEA~1.EXE
PID 4120 wrote to memory of 32	4120	svchost.com	D8EDEA~1.EXE
PID 32 wrote to memory of 3632	32	D8EDEA~1.EXE	svchost.com
PID 32 wrote to memory of 3632	32	D8EDEA~1.EXE	svchost.com
PID 32 wrote to memory of 3632	32	D8EDEA~1.EXE	svchost.com
PID 3632 wrote to memory of 2992	3632	svchost.com	D8EDEA~1.EXE
PID 3632 wrote to memory of 2992	3632	svchost.com	D8EDEA~1.EXE
PID 3632 wrote to memory of 2992	3632	svchost.com	D8EDEA~1.EXE
PID 2992 wrote to memory of 2328	2992	D8EDEA~1.EXE	svchost.com
PID 2992 wrote to memory of 2328	2992	D8EDEA~1.EXE	svchost.com
PID 2992 wrote to memory of 2328	2992	D8EDEA~1.EXE	svchost.com
PID 2328 wrote to memory of 4456	2328	svchost.com	D8EDEA~1.EXE
PID 2328 wrote to memory of 4456	2328	svchost.com	D8EDEA~1.EXE
PID 2328 wrote to memory of 4456	2328	svchost.com	D8EDEA~1.EXE
PID 4456 wrote to memory of 5076	4456	D8EDEA~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
"C:\Users\Admin\AppData\Local\Temp\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        12⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        14⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        16⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        17⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        18⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        21⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        22⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        26⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        27⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        28⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        30⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        31⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        32⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        34⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        35⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        36⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        37⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Windows directory
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        38⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        40⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        44⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        45⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        46⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        47⤵
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        48⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        49⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        52⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        53⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        54⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        55⤵
        
        PID:260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        56⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        57⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        58⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        59⤵
        Checks computer location settings
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        60⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        61⤵
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        62⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        63⤵
        Checks computer location settings
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        64⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        65⤵
        Drops file in Windows directory
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        66⤵
        Drops file in Windows directory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        67⤵
        Checks computer location settings
        
        PID:1168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        68⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        70⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        71⤵
        Modifies registry class
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        72⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        73⤵
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        74⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        75⤵
        Checks computer location settings
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        76⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        77⤵
        
        PID:3348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        78⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        79⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        80⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        81⤵
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        82⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        83⤵
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        84⤵
        Drops file in Windows directory
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        85⤵
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        86⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        87⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        88⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        89⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        90⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        91⤵
        Modifies registry class
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        92⤵
        Drops file in Windows directory
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        93⤵
        Modifies registry class
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        94⤵
        Drops file in Windows directory
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        95⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        96⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        97⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        98⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        99⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        100⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        101⤵
        Checks computer location settings
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        102⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        103⤵
        Drops file in Windows directory
        
        PID:256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        104⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        105⤵
        
        PID:4720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        106⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        107⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        108⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        109⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        110⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        111⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        112⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        113⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        114⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        115⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        116⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        117⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        118⤵
        Drops file in Windows directory
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        119⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        120⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        121⤵
        Modifies registry class
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        122⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        123⤵
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        124⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        125⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        126⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        127⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        128⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        129⤵
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        130⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        131⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        132⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        133⤵
        Checks computer location settings
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        134⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        135⤵
        Checks computer location settings
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        136⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        137⤵
        Checks computer location settings
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        138⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        139⤵
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        140⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        141⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        142⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        143⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        144⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        145⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        146⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        147⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        148⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        149⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        150⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        151⤵
        Drops file in Windows directory
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        152⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        153⤵
        Checks computer location settings
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        154⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        155⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        156⤵
        Drops file in Windows directory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        157⤵
        Checks computer location settings
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        158⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        159⤵
        Modifies registry class
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        160⤵
        Drops file in Windows directory
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        161⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        162⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        163⤵
        Drops file in Windows directory
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        164⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        165⤵
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        166⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        167⤵
        Modifies registry class
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        168⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        169⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        170⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        171⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        172⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        173⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        174⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        175⤵
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        176⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        177⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        178⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        179⤵
        Modifies registry class
        
        PID:3236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        180⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        181⤵
        Modifies registry class
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        182⤵
        Drops file in Windows directory
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        183⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        184⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        185⤵
        Checks computer location settings
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        186⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        187⤵
        Checks computer location settings
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        188⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        189⤵
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        190⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        191⤵
        Modifies registry class
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        192⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        193⤵
        Checks computer location settings
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        194⤵
        Drops file in Windows directory
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        195⤵
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        196⤵
        Drops file in Windows directory
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        197⤵
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        198⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        199⤵
        Drops file in Windows directory
        
        PID:4436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        200⤵
        Drops file in Windows directory
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        201⤵
        Checks computer location settings
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        202⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        203⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        204⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        205⤵
        Checks computer location settings
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        206⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        207⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        208⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        209⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        210⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        211⤵
        Checks computer location settings
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        212⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        213⤵
        Checks computer location settings
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        214⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        215⤵
        Modifies registry class
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        216⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        217⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        218⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        219⤵
        Checks computer location settings
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        220⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        221⤵
        
        PID:3560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        222⤵
        Drops file in Windows directory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        223⤵
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        224⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        225⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        226⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        227⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        228⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        229⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        230⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        231⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        232⤵
        Drops file in Windows directory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        233⤵
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        234⤵
        Drops file in Windows directory
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        235⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        236⤵
        Drops file in Windows directory
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        237⤵
        Modifies registry class
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        238⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        239⤵
        Modifies registry class
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        240⤵
        Drops file in Windows directory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        241⤵
        Checks computer location settings
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        242⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        243⤵
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        244⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        245⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        246⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        247⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        248⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        249⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        250⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        251⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        252⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        253⤵
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        254⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        255⤵
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        256⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        257⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        258⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        259⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        260⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        261⤵
        Checks computer location settings
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        262⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        263⤵
        Drops file in Windows directory
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        264⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        265⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        266⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        267⤵
        Checks computer location settings
        
        PID:3172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        268⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        269⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        270⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        271⤵
        
        PID:256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        272⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        273⤵
        Checks computer location settings
        Modifies registry class
        
        PID:160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        274⤵
        Drops file in Windows directory
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        275⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        276⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        277⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        278⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        279⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        280⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        281⤵
        Modifies registry class
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        282⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        283⤵
        Checks computer location settings
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        284⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        285⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        286⤵
        Drops file in Windows directory
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        287⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        288⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        289⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        290⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        291⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        292⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        293⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        294⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        295⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        296⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        297⤵
        Modifies registry class
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        298⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        299⤵
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        300⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        301⤵
        Checks computer location settings
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        302⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        303⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        304⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        305⤵
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        306⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        307⤵
        Modifies registry class
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        308⤵
        Drops file in Windows directory
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        309⤵
        Checks computer location settings
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        310⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        311⤵
        Checks computer location settings
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        312⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        313⤵
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        314⤵
        Drops file in Windows directory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        315⤵
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        316⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        317⤵
        Drops file in Windows directory
        
        PID:2760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        318⤵
        Drops file in Windows directory
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        319⤵
        Drops file in Windows directory
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        320⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        321⤵
        Drops file in Windows directory
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        322⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        323⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        324⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        325⤵
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        326⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        327⤵
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        328⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        329⤵
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        330⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        331⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        332⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        333⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        334⤵
        Drops file in Windows directory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        335⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        336⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        337⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        338⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        339⤵
        Checks computer location settings
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        340⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        341⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        342⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        343⤵
        Drops file in Windows directory
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        344⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        345⤵
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        346⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        347⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE"
        348⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D8EDEA~1.EXE
        349⤵
        
        PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d8edea5e5351b2d98c588c4aa059283f75381c0c0707aba8776032d2c3441ef4.exe

Filesize
1.1MB

MD5
39c6561d751818b4ffdae657d74e1da8

SHA1
c52c49323f0ba5b484659536ffe0ec7af2bc244f

SHA256
628fc6b09226243208c9de2b2a106f3c8351c9a72376cdb2e547701b59193091

SHA512
a4503b06704d752e39c2f39b061a22e9ec05f21afb01a3a1d261632b152ba09a762164f45435b390bcc4f311701f9cf59a91581b900ea0465253761c1ef925f4

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6aabad071c87fff137c8762c93d4792d

SHA1
09c221a7ce3f31d3403fce1fbd084e4bac67c960

SHA256
b74661dde992041ab15ef7be7d7babe156835683f7217e228f9d5c3913c8e66e

SHA512
7cd528f284d1b127dcc9df6c2cb7bc9c1e10246ab32632446e23d60da3aaff57038a9d2971bac865e9416dd76ae73762498bf41d3f9e5813b1cb1b41e9a4d340

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/32-179-0x0000000000000000-mapping.dmp

Download
memory/260-257-0x0000000000000000-mapping.dmp

Download
memory/444-235-0x0000000000000000-mapping.dmp

Download
memory/540-239-0x0000000000000000-mapping.dmp

Download
memory/564-151-0x0000000000000000-mapping.dmp

Download
memory/824-203-0x0000000000000000-mapping.dmp

Download
memory/828-242-0x0000000000000000-mapping.dmp

Download
memory/832-224-0x0000000000000000-mapping.dmp

Download
memory/944-167-0x0000000000000000-mapping.dmp

Download
memory/956-240-0x0000000000000000-mapping.dmp

Download
memory/1044-220-0x0000000000000000-mapping.dmp

Download
memory/1108-225-0x0000000000000000-mapping.dmp

Download
memory/1300-139-0x0000000000000000-mapping.dmp

Download
memory/1424-243-0x0000000000000000-mapping.dmp

Download
memory/1484-256-0x0000000000000000-mapping.dmp

Download
memory/1800-161-0x0000000000000000-mapping.dmp

Download
memory/1804-237-0x0000000000000000-mapping.dmp

Download
memory/1836-214-0x0000000000000000-mapping.dmp

Download
memory/2060-210-0x0000000000000000-mapping.dmp

Download
memory/2180-228-0x0000000000000000-mapping.dmp

Download
memory/2232-227-0x0000000000000000-mapping.dmp

Download
memory/2320-145-0x0000000000000000-mapping.dmp

Download
memory/2328-187-0x0000000000000000-mapping.dmp

Download
memory/2360-236-0x0000000000000000-mapping.dmp

Download
memory/2464-172-0x0000000000000000-mapping.dmp

Download
memory/2464-255-0x0000000000000000-mapping.dmp

Download
memory/2476-231-0x0000000000000000-mapping.dmp

Download
memory/2548-216-0x0000000000000000-mapping.dmp

Download
memory/2644-233-0x0000000000000000-mapping.dmp

Download
memory/2700-222-0x0000000000000000-mapping.dmp

Download
memory/2728-229-0x0000000000000000-mapping.dmp

Download
memory/2840-163-0x0000000000000000-mapping.dmp

Download
memory/2992-184-0x0000000000000000-mapping.dmp

Download
memory/2996-148-0x0000000000000000-mapping.dmp

Download
memory/3080-137-0x0000000000000000-mapping.dmp

Download
memory/3112-252-0x0000000000000000-mapping.dmp

Download
memory/3408-248-0x0000000000000000-mapping.dmp

Download
memory/3604-234-0x0000000000000000-mapping.dmp

Download
memory/3632-181-0x0000000000000000-mapping.dmp

Download
memory/3640-250-0x0000000000000000-mapping.dmp

Download
memory/3920-232-0x0000000000000000-mapping.dmp

Download
memory/3976-130-0x0000000000000000-mapping.dmp

Download
memory/4032-253-0x0000000000000000-mapping.dmp

Download
memory/4060-226-0x0000000000000000-mapping.dmp

Download
memory/4120-175-0x0000000000000000-mapping.dmp

Download
memory/4144-249-0x0000000000000000-mapping.dmp

Download
memory/4196-133-0x0000000000000000-mapping.dmp

Download
memory/4236-143-0x0000000000000000-mapping.dmp

Download
memory/4392-246-0x0000000000000000-mapping.dmp

Download
memory/4428-155-0x0000000000000000-mapping.dmp

Download
memory/4456-191-0x0000000000000000-mapping.dmp

Download
memory/4500-247-0x0000000000000000-mapping.dmp

Download
memory/4508-157-0x0000000000000000-mapping.dmp

Download
memory/4540-245-0x0000000000000000-mapping.dmp

Download
memory/4600-251-0x0000000000000000-mapping.dmp

Download
memory/4620-199-0x0000000000000000-mapping.dmp

Download
memory/4804-244-0x0000000000000000-mapping.dmp

Download
memory/4828-169-0x0000000000000000-mapping.dmp

Download
memory/4908-230-0x0000000000000000-mapping.dmp

Download
memory/4912-254-0x0000000000000000-mapping.dmp

Download
memory/4920-238-0x0000000000000000-mapping.dmp

Download
memory/4964-241-0x0000000000000000-mapping.dmp

Download
memory/5000-197-0x0000000000000000-mapping.dmp

Download
memory/5076-193-0x0000000000000000-mapping.dmp

Download