neshta | 1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb

Analysis

max time kernel
186s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
Size

465KB
MD5

ca6fe59945cf7d7ab411ec47fad20c80
SHA1

92aa2e90a9368496193b052be0cd3c6e266e0663
SHA256

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb
SHA512

7ca4130dc0a53cfd6e3ef7670befc9d00dab64e3e1f9a20d5bd5b8178ea41f71601972711175db1169401d71611157b652bd011fed283ecad54fd98e3f53ebca

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 35 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exesvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com

pid	process
4896	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
1344	svchost.com
4872	1423E8~1.EXE
4640	svchost.com
4680	1423E8~1.EXE
1416	svchost.com
2436	1423E8~1.EXE
960	svchost.com
2036	1423E8~1.EXE
632	svchost.com
4180	1423E8~1.EXE
4776	svchost.com
3528	1423E8~1.EXE
216	svchost.com
5104	1423E8~1.EXE
2296	svchost.com
4192	1423E8~1.EXE
3244	svchost.com
3844	1423E8~1.EXE
2728	svchost.com
3208	1423E8~1.EXE
1972	svchost.com
5040	1423E8~1.EXE
1568	svchost.com
4280	1423E8~1.EXE
3604	svchost.com
4928	1423E8~1.EXE
1964	svchost.com
2464	1423E8~1.EXE
3768	svchost.com
3668	1423E8~1.EXE
1852	svchost.com
1992	1423E8~1.EXE
1880	svchost.com
3428	1423E8~1.EXE
4272	svchost.com
968	1423E8~1.EXE
1340	svchost.com
1280	1423E8~1.EXE
3216	svchost.com
1812	1423E8~1.EXE
5000	svchost.com
424	1423E8~1.EXE
4912	svchost.com
1748	1423E8~1.EXE
3036	svchost.com
2060	1423E8~1.EXE
4064	svchost.com
2600	1423E8~1.EXE
1180	svchost.com
1824	1423E8~1.EXE
936	svchost.com
4852	1423E8~1.EXE
3464	svchost.com
1244	1423E8~1.EXE
4724	svchost.com
4188	1423E8~1.EXE
4640	svchost.com
4684	1423E8~1.EXE
1236	svchost.com
720	1423E8~1.EXE
5096	svchost.com
4384	1423E8~1.EXE
3892	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1423E8~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.com1423E8~1.EXE1423E8~1.EXEsvchost.comsvchost.com1423E8~1.EXE1423E8~1.EXEsvchost.comsvchost.comsvchost.com1423E8~1.EXEsvchost.comsvchost.com1423E8~1.EXE1423E8~1.EXEsvchost.comsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com1423E8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.comsvchost.com1423E8~1.EXE1423E8~1.EXEsvchost.comsvchost.com1423E8~1.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	1423E8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE1423E8~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	1423E8~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exesvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXEsvchost.com1423E8~1.EXE

description	pid	process	target process
PID 4864 wrote to memory of 4896	4864	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
PID 4864 wrote to memory of 4896	4864	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
PID 4864 wrote to memory of 4896	4864	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
PID 4896 wrote to memory of 1344	4896	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	svchost.com
PID 4896 wrote to memory of 1344	4896	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	svchost.com
PID 4896 wrote to memory of 1344	4896	1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe	svchost.com
PID 1344 wrote to memory of 4872	1344	svchost.com	1423E8~1.EXE
PID 1344 wrote to memory of 4872	1344	svchost.com	1423E8~1.EXE
PID 1344 wrote to memory of 4872	1344	svchost.com	1423E8~1.EXE
PID 4872 wrote to memory of 4640	4872	1423E8~1.EXE	svchost.com
PID 4872 wrote to memory of 4640	4872	1423E8~1.EXE	svchost.com
PID 4872 wrote to memory of 4640	4872	1423E8~1.EXE	svchost.com
PID 4640 wrote to memory of 4680	4640	svchost.com	1423E8~1.EXE
PID 4640 wrote to memory of 4680	4640	svchost.com	1423E8~1.EXE
PID 4640 wrote to memory of 4680	4640	svchost.com	1423E8~1.EXE
PID 4680 wrote to memory of 1416	4680	1423E8~1.EXE	svchost.com
PID 4680 wrote to memory of 1416	4680	1423E8~1.EXE	svchost.com
PID 4680 wrote to memory of 1416	4680	1423E8~1.EXE	svchost.com
PID 1416 wrote to memory of 2436	1416	svchost.com	1423E8~1.EXE
PID 1416 wrote to memory of 2436	1416	svchost.com	1423E8~1.EXE
PID 1416 wrote to memory of 2436	1416	svchost.com	1423E8~1.EXE
PID 2436 wrote to memory of 960	2436	1423E8~1.EXE	svchost.com
PID 2436 wrote to memory of 960	2436	1423E8~1.EXE	svchost.com
PID 2436 wrote to memory of 960	2436	1423E8~1.EXE	svchost.com
PID 960 wrote to memory of 2036	960	svchost.com	1423E8~1.EXE
PID 960 wrote to memory of 2036	960	svchost.com	1423E8~1.EXE
PID 960 wrote to memory of 2036	960	svchost.com	1423E8~1.EXE
PID 2036 wrote to memory of 632	2036	1423E8~1.EXE	svchost.com
PID 2036 wrote to memory of 632	2036	1423E8~1.EXE	svchost.com
PID 2036 wrote to memory of 632	2036	1423E8~1.EXE	svchost.com
PID 632 wrote to memory of 4180	632	svchost.com	1423E8~1.EXE
PID 632 wrote to memory of 4180	632	svchost.com	1423E8~1.EXE
PID 632 wrote to memory of 4180	632	svchost.com	1423E8~1.EXE
PID 4180 wrote to memory of 4776	4180	1423E8~1.EXE	svchost.com
PID 4180 wrote to memory of 4776	4180	1423E8~1.EXE	svchost.com
PID 4180 wrote to memory of 4776	4180	1423E8~1.EXE	svchost.com
PID 4776 wrote to memory of 3528	4776	svchost.com	1423E8~1.EXE
PID 4776 wrote to memory of 3528	4776	svchost.com	1423E8~1.EXE
PID 4776 wrote to memory of 3528	4776	svchost.com	1423E8~1.EXE
PID 3528 wrote to memory of 216	3528	1423E8~1.EXE	svchost.com
PID 3528 wrote to memory of 216	3528	1423E8~1.EXE	svchost.com
PID 3528 wrote to memory of 216	3528	1423E8~1.EXE	svchost.com
PID 216 wrote to memory of 5104	216	svchost.com	1423E8~1.EXE
PID 216 wrote to memory of 5104	216	svchost.com	1423E8~1.EXE
PID 216 wrote to memory of 5104	216	svchost.com	1423E8~1.EXE
PID 5104 wrote to memory of 2296	5104	1423E8~1.EXE	svchost.com
PID 5104 wrote to memory of 2296	5104	1423E8~1.EXE	svchost.com
PID 5104 wrote to memory of 2296	5104	1423E8~1.EXE	svchost.com
PID 2296 wrote to memory of 4192	2296	svchost.com	1423E8~1.EXE
PID 2296 wrote to memory of 4192	2296	svchost.com	1423E8~1.EXE
PID 2296 wrote to memory of 4192	2296	svchost.com	1423E8~1.EXE
PID 4192 wrote to memory of 3244	4192	1423E8~1.EXE	svchost.com
PID 4192 wrote to memory of 3244	4192	1423E8~1.EXE	svchost.com
PID 4192 wrote to memory of 3244	4192	1423E8~1.EXE	svchost.com
PID 3244 wrote to memory of 3844	3244	svchost.com	1423E8~1.EXE
PID 3244 wrote to memory of 3844	3244	svchost.com	1423E8~1.EXE
PID 3244 wrote to memory of 3844	3244	svchost.com	1423E8~1.EXE
PID 3844 wrote to memory of 2728	3844	1423E8~1.EXE	svchost.com
PID 3844 wrote to memory of 2728	3844	1423E8~1.EXE	svchost.com
PID 3844 wrote to memory of 2728	3844	1423E8~1.EXE	svchost.com
PID 2728 wrote to memory of 3208	2728	svchost.com	1423E8~1.EXE
PID 2728 wrote to memory of 3208	2728	svchost.com	1423E8~1.EXE
PID 2728 wrote to memory of 3208	2728	svchost.com	1423E8~1.EXE
PID 3208 wrote to memory of 1972	3208	1423E8~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
"C:\Users\Admin\AppData\Local\Temp\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        24⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        58⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        66⤵
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        67⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        68⤵
        Checks computer location settings
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        70⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        71⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        72⤵
        Modifies registry class
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        73⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        74⤵
        
        PID:4256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        75⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        76⤵
        Checks computer location settings
        
        PID:4184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        77⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        78⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        79⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        80⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        81⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        83⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        84⤵
        Checks computer location settings
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        85⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        86⤵
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        87⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        88⤵
        Modifies registry class
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        89⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        90⤵
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        91⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        92⤵
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        93⤵
        Drops file in Windows directory
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        94⤵
        
        PID:1008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        95⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        96⤵
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        97⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        98⤵
        Modifies registry class
        
        PID:4832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        100⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        101⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        102⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        103⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        104⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        105⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        106⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        107⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        108⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        110⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        111⤵
        Drops file in Windows directory
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        112⤵
        
        PID:3212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        113⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        114⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        115⤵
        Drops file in Windows directory
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        117⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        118⤵
        Drops file in Windows directory
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        119⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        120⤵
        Modifies registry class
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        121⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        123⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        124⤵
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        125⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        126⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        127⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        128⤵
        
        PID:1464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        130⤵
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        131⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        132⤵
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        133⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        134⤵
        Drops file in Windows directory
        
        PID:204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        135⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        136⤵
        Modifies registry class
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        137⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        138⤵
        Modifies registry class
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        140⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        141⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        142⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        143⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        144⤵
        
        PID:3804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        145⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        146⤵
        Modifies registry class
        
        PID:5044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        147⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        148⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        150⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        151⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        152⤵
        Checks computer location settings
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        153⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        154⤵
        Modifies registry class
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        155⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        156⤵
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        157⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        158⤵
        
        PID:3668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        159⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        160⤵
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        161⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        162⤵
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        163⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        164⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        165⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        166⤵
        Checks computer location settings
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        167⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        168⤵
        Checks computer location settings
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        169⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        170⤵
        Modifies registry class
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        171⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        172⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        173⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        174⤵
        Checks computer location settings
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        175⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        176⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        177⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        178⤵
        
        PID:4812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        179⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        180⤵
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        181⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        182⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        183⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        184⤵
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        185⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        186⤵
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        188⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        189⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        190⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        191⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        192⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        194⤵
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        196⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        197⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        198⤵
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        199⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        200⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        201⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        202⤵
        Checks computer location settings
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        203⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        204⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        205⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        206⤵
        Modifies registry class
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        207⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        208⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        209⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        210⤵
        Modifies registry class
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        211⤵
        Drops file in Windows directory
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        212⤵
        Checks computer location settings
        
        PID:4152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        213⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        214⤵
        Checks computer location settings
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        215⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        216⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        217⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        218⤵
        
        PID:3700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        219⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        220⤵
        
        PID:4388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        221⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        222⤵
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        223⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        224⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        225⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        226⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        227⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        228⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        229⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        230⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        231⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        232⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        234⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        235⤵
        Drops file in Windows directory
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        236⤵
        Modifies registry class
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        238⤵
        
        PID:4052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        239⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        240⤵
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        241⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        242⤵
        
        PID:4612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        243⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        244⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        245⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        246⤵
        Modifies registry class
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        247⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        248⤵
        Checks computer location settings
        
        PID:332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        249⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        250⤵
        Drops file in Windows directory
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        251⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        252⤵
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        253⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        254⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        255⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        256⤵
        Checks computer location settings
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        257⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        258⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        259⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        260⤵
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        261⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        262⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        263⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        264⤵
        Checks computer location settings
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        265⤵
        Drops file in Windows directory
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        266⤵
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        267⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        268⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        269⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        270⤵
        Checks computer location settings
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        271⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        272⤵
        Modifies registry class
        
        PID:3112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        273⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        274⤵
        Checks computer location settings
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        275⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        276⤵
        Drops file in Windows directory
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        277⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        278⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        280⤵
        Modifies registry class
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        281⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        282⤵
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        283⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        284⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        285⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        286⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        287⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        288⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        289⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        290⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        291⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        292⤵
        Modifies registry class
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        293⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        294⤵
        Modifies registry class
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        295⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        296⤵
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        297⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        298⤵
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        299⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        300⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        302⤵
        Checks computer location settings
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        303⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        304⤵
        Drops file in Windows directory
        
        PID:792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        305⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        306⤵
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        307⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        308⤵
        Checks computer location settings
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        310⤵
        Checks computer location settings
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        311⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        312⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        313⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        314⤵
        Modifies registry class
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        315⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        316⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        317⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        318⤵
        Drops file in Windows directory
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        319⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        320⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        321⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        322⤵
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        323⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        324⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        325⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        326⤵
        Checks computer location settings
        
        PID:3520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        327⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        328⤵
        Drops file in Windows directory
        
        PID:3792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        329⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        330⤵
        Checks computer location settings
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        331⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        332⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        333⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        334⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        335⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        336⤵
        Drops file in Windows directory
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        337⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        338⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        339⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        340⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        341⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        342⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        343⤵
        Drops file in Windows directory
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        344⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        345⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        346⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        347⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        348⤵
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        349⤵
        Drops file in Windows directory
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        350⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        351⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        352⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        353⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        354⤵
        Checks computer location settings
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        355⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        356⤵
        Modifies registry class
        
        PID:3212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        357⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        358⤵
        Drops file in Windows directory
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        359⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        360⤵
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        361⤵
        Drops file in Windows directory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        362⤵
        Drops file in Windows directory
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        363⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        364⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        365⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        366⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        367⤵
        Drops file in Windows directory
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        368⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        369⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        370⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        371⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        372⤵
        Drops file in Windows directory
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        373⤵
        Drops file in Windows directory
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        374⤵
        Modifies registry class
        
        PID:612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        375⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        376⤵
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        377⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        378⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        379⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        380⤵
        Drops file in Windows directory
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        381⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        382⤵
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        383⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        384⤵
        Drops file in Windows directory
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        385⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        386⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        387⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        388⤵
        
        PID:3804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        389⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        390⤵
        
        PID:728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        391⤵
        Drops file in Windows directory
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        392⤵
        
        PID:1276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        393⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        394⤵
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        395⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        396⤵
        Checks computer location settings
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        397⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        398⤵
        Modifies registry class
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        399⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        400⤵
        Checks computer location settings
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        401⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        402⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        403⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        404⤵
        Checks computer location settings
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        405⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        406⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        407⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        408⤵
        Checks computer location settings
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        409⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        410⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        411⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        412⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        413⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        414⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        415⤵
        Drops file in Windows directory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        416⤵
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        417⤵
        Drops file in Windows directory
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        418⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        419⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        420⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        421⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        422⤵
        Drops file in Windows directory
        
        PID:3276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        423⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        424⤵
        Checks computer location settings
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        425⤵
        Drops file in Windows directory
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        426⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        427⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        428⤵
        Drops file in Windows directory
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        429⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        430⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        431⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        432⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        433⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        434⤵
        Modifies registry class
        
        PID:4700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        435⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        436⤵
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        437⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        438⤵
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        439⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        440⤵
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        441⤵
        Drops file in Windows directory
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        442⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        443⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        444⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        445⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        446⤵
        Checks computer location settings
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        447⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        448⤵
        
        PID:5024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        449⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        450⤵
        
        PID:4148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        451⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        452⤵
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        453⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        454⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        455⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        456⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        457⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        458⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        459⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        460⤵
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        461⤵
        Drops file in Windows directory
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        462⤵
        
        PID:3736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        463⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        464⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        465⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        466⤵
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        467⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        468⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        469⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        470⤵
        Checks computer location settings
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        471⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        472⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        473⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        474⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        475⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        476⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        477⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        478⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        479⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        65⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        66⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        67⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        68⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        69⤵
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        70⤵
        Drops file in Windows directory
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        71⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        72⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        73⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        74⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        75⤵
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        76⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        77⤵
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        78⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        79⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        80⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        81⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        82⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        83⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        84⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        85⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        86⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        87⤵
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        88⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        89⤵
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        90⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        91⤵
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE"
        92⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\1423E8~1.EXE
        93⤵
        
        PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1423e8c23f4a7061d28daf43b69fd2b2bfdd49f694b79dd2438c40dbbc4370cb.exe

Filesize
424KB

MD5
ab67c63508a077f182c75766461a83e3

SHA1
0b95a332f330da67276a1ea141c4d65254cb6f9d

SHA256
748092a756d15c287309c3dc9f67ce8b835659b98d21648dc37f549d5cbf1350

SHA512
e1841f18db4069c999996dd85cd9d9c3f2017468202209b0d1f3d0923999f98ad55db2599a3545dccd30ac7d367742f7915507dc5a92b72f49fc689fe652a06f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7a6dc772a0cc03e3cf037723c6ce0cbd

SHA1
9a93a8870a70f5d0d1fd2490a982e12a7f77a134

SHA256
c6936338e35b6a3c5b3d762853bc1a6655c525d295a3c82e1a060ef00b63f2b2

SHA512
ddbddd8ef31a71c4e978d269bb3ff1fe9fdecbbde866444f84504045cac435ba020bbccbce501fb0c79fd50cfddc8b24b36e77e559b3506b0eb85b0a5c962b9f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/216-170-0x0000000000000000-mapping.dmp

Download
memory/424-236-0x0000000000000000-mapping.dmp

Download
memory/632-158-0x0000000000000000-mapping.dmp

Download
memory/720-254-0x0000000000000000-mapping.dmp

Download
memory/936-245-0x0000000000000000-mapping.dmp

Download
memory/960-152-0x0000000000000000-mapping.dmp

Download
memory/968-230-0x0000000000000000-mapping.dmp

Download
memory/1180-243-0x0000000000000000-mapping.dmp

Download
memory/1236-253-0x0000000000000000-mapping.dmp

Download
memory/1244-248-0x0000000000000000-mapping.dmp

Download
memory/1280-232-0x0000000000000000-mapping.dmp

Download
memory/1340-231-0x0000000000000000-mapping.dmp

Download
memory/1344-133-0x0000000000000000-mapping.dmp

Download
memory/1416-146-0x0000000000000000-mapping.dmp

Download
memory/1568-200-0x0000000000000000-mapping.dmp

Download
memory/1748-238-0x0000000000000000-mapping.dmp

Download
memory/1812-234-0x0000000000000000-mapping.dmp

Download
memory/1824-244-0x0000000000000000-mapping.dmp

Download
memory/1852-224-0x0000000000000000-mapping.dmp

Download
memory/1880-227-0x0000000000000000-mapping.dmp

Download
memory/1964-212-0x0000000000000000-mapping.dmp

Download
memory/1972-194-0x0000000000000000-mapping.dmp

Download
memory/1992-226-0x0000000000000000-mapping.dmp

Download
memory/2036-155-0x0000000000000000-mapping.dmp

Download
memory/2060-240-0x0000000000000000-mapping.dmp

Download
memory/2296-176-0x0000000000000000-mapping.dmp

Download
memory/2436-150-0x0000000000000000-mapping.dmp

Download
memory/2464-216-0x0000000000000000-mapping.dmp

Download
memory/2600-242-0x0000000000000000-mapping.dmp

Download
memory/2728-188-0x0000000000000000-mapping.dmp

Download
memory/3036-239-0x0000000000000000-mapping.dmp

Download
memory/3208-192-0x0000000000000000-mapping.dmp

Download
memory/3216-233-0x0000000000000000-mapping.dmp

Download
memory/3244-182-0x0000000000000000-mapping.dmp

Download
memory/3428-228-0x0000000000000000-mapping.dmp

Download
memory/3464-247-0x0000000000000000-mapping.dmp

Download
memory/3528-168-0x0000000000000000-mapping.dmp

Download
memory/3604-206-0x0000000000000000-mapping.dmp

Download
memory/3668-222-0x0000000000000000-mapping.dmp

Download
memory/3768-218-0x0000000000000000-mapping.dmp

Download
memory/3844-186-0x0000000000000000-mapping.dmp

Download
memory/3892-257-0x0000000000000000-mapping.dmp

Download
memory/4064-241-0x0000000000000000-mapping.dmp

Download
memory/4180-162-0x0000000000000000-mapping.dmp

Download
memory/4188-250-0x0000000000000000-mapping.dmp

Download
memory/4192-180-0x0000000000000000-mapping.dmp

Download
memory/4272-229-0x0000000000000000-mapping.dmp

Download
memory/4280-204-0x0000000000000000-mapping.dmp

Download
memory/4384-256-0x0000000000000000-mapping.dmp

Download
memory/4640-140-0x0000000000000000-mapping.dmp

Download
memory/4640-251-0x0000000000000000-mapping.dmp

Download
memory/4680-144-0x0000000000000000-mapping.dmp

Download
memory/4684-252-0x0000000000000000-mapping.dmp

Download
memory/4724-249-0x0000000000000000-mapping.dmp

Download
memory/4776-164-0x0000000000000000-mapping.dmp

Download
memory/4852-246-0x0000000000000000-mapping.dmp

Download
memory/4872-138-0x0000000000000000-mapping.dmp

Download
memory/4896-130-0x0000000000000000-mapping.dmp

Download
memory/4912-237-0x0000000000000000-mapping.dmp

Download
memory/4928-210-0x0000000000000000-mapping.dmp

Download
memory/5000-235-0x0000000000000000-mapping.dmp

Download
memory/5040-198-0x0000000000000000-mapping.dmp

Download
memory/5096-255-0x0000000000000000-mapping.dmp

Download
memory/5104-174-0x0000000000000000-mapping.dmp

Download