neshta | 95d139480818083ccfbacde06e5788218452f007f7befc76f975b013e7217fde

Analysis

max time kernel
97s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b10978c0266d0ce9de63361b427117a.exe
Size

586KB
MD5

3b10978c0266d0ce9de63361b427117a
SHA1

47f2e9ca3c71ad001d176e43ead92e7473f088c7
SHA256

95d139480818083ccfbacde06e5788218452f007f7befc76f975b013e7217fde
SHA512

eb71e4c9002160e3a7ca458e8f6c1449e1253141b826ba05f8e2f7baf8c60978851f745f21121d37d0d6bacf2cfca2dc4bdd5c8e98aee89c6aa23ad98651a553
SSDEEP

12288:h7d4Mcp7IJfKECTsFzQt+JrPGr7zMgF9YTaSenaUepaUepaS7W:gMcOJpCTGzQt+YQE9oaSYaUmaUmaz

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 43 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\odt\office2016setup.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

3b10978c0266d0ce9de63361b427117a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3b10978c0266d0ce9de63361b427117a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

3b10978c0266d0ce9de63361b427117a.exesvchost.exe3b10978c0266d0ce9de63361b427117a.exesvchost.exesvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXE

pid	process
4888	3b10978c0266d0ce9de63361b427117a.exe
4800	svchost.exe
4020	3b10978c0266d0ce9de63361b427117a.exe
2376	svchost.exe
4128	svchost.com
3292	3B1097~1.EXE
3432	svchost.com
4592	3B1097~1.EXE
1512	svchost.com
4224	3B1097~1.EXE
212	svchost.com
2776	3B1097~1.EXE
552	svchost.com
1516	3B1097~1.EXE
1296	svchost.com
388	3B1097~1.EXE
2664	svchost.com
4540	3B1097~1.EXE
3708	svchost.com
5096	3B1097~1.EXE
3240	svchost.com
1132	3B1097~1.EXE
1728	svchost.com
4076	3B1097~1.EXE
4764	svchost.com
3712	3B1097~1.EXE
4280	svchost.com
4808	3B1097~1.EXE
452	svchost.com
4640	3B1097~1.EXE
4220	svchost.com
4832	3B1097~1.EXE
4092	svchost.com
3412	3B1097~1.EXE
3424	svchost.com
4456	3B1097~1.EXE
1808	svchost.com
4156	3B1097~1.EXE
3692	svchost.com
4548	3B1097~1.EXE
4772	svchost.com
2424	3B1097~1.EXE
3172	svchost.com
4140	3B1097~1.EXE
2228	svchost.com
4648	3B1097~1.EXE
1056	svchost.com
5100	3B1097~1.EXE
1484	svchost.com
4540	3B1097~1.EXE
3548	svchost.com
1452	3B1097~1.EXE
1520	svchost.com
3132	3B1097~1.EXE
772	svchost.com
2724	3B1097~1.EXE
2016	svchost.com
4732	3B1097~1.EXE
5072	svchost.com
5020	3B1097~1.EXE
4816	svchost.com
3148	3B1097~1.EXE
3200	svchost.com
3960	3B1097~1.EXE

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.comsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3b10978c0266d0ce9de63361b427117a.exe3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3b10978c0266d0ce9de63361b427117a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3B1097~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

3b10978c0266d0ce9de63361b427117a.exe3b10978c0266d0ce9de63361b427117a.exesvchost.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	3b10978c0266d0ce9de63361b427117a.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.com3B1097~1.EXEsvchost.com3b10978c0266d0ce9de63361b427117a.exesvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.comsvchost.comsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com3B1097~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com3B1097~1.EXE3B1097~1.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3b10978c0266d0ce9de63361b427117a.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3B1097~1.EXE
File opened for modification	C:\Windows\directx.sys	3B1097~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

svchost.com3b10978c0266d0ce9de63361b427117a.exe3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXEsvchost.com3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE3B1097~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3b10978c0266d0ce9de63361b427117a.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3B1097~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b10978c0266d0ce9de63361b427117a.exe3b10978c0266d0ce9de63361b427117a.exesvchost.exe3b10978c0266d0ce9de63361b427117a.exesvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXEsvchost.com3B1097~1.EXE

description	pid	process	target process
PID 620 wrote to memory of 4888	620	3b10978c0266d0ce9de63361b427117a.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 620 wrote to memory of 4888	620	3b10978c0266d0ce9de63361b427117a.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 620 wrote to memory of 4888	620	3b10978c0266d0ce9de63361b427117a.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 4888 wrote to memory of 4800	4888	3b10978c0266d0ce9de63361b427117a.exe	svchost.exe
PID 4888 wrote to memory of 4800	4888	3b10978c0266d0ce9de63361b427117a.exe	svchost.exe
PID 4888 wrote to memory of 4800	4888	3b10978c0266d0ce9de63361b427117a.exe	svchost.exe
PID 4800 wrote to memory of 4020	4800	svchost.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 4800 wrote to memory of 4020	4800	svchost.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 4800 wrote to memory of 4020	4800	svchost.exe	3b10978c0266d0ce9de63361b427117a.exe
PID 4020 wrote to memory of 4128	4020	3b10978c0266d0ce9de63361b427117a.exe	svchost.com
PID 4020 wrote to memory of 4128	4020	3b10978c0266d0ce9de63361b427117a.exe	svchost.com
PID 4020 wrote to memory of 4128	4020	3b10978c0266d0ce9de63361b427117a.exe	svchost.com
PID 4128 wrote to memory of 3292	4128	svchost.com	3B1097~1.EXE
PID 4128 wrote to memory of 3292	4128	svchost.com	3B1097~1.EXE
PID 4128 wrote to memory of 3292	4128	svchost.com	3B1097~1.EXE
PID 3292 wrote to memory of 3432	3292	3B1097~1.EXE	svchost.com
PID 3292 wrote to memory of 3432	3292	3B1097~1.EXE	svchost.com
PID 3292 wrote to memory of 3432	3292	3B1097~1.EXE	svchost.com
PID 3432 wrote to memory of 4592	3432	svchost.com	3B1097~1.EXE
PID 3432 wrote to memory of 4592	3432	svchost.com	3B1097~1.EXE
PID 3432 wrote to memory of 4592	3432	svchost.com	3B1097~1.EXE
PID 4592 wrote to memory of 1512	4592	3B1097~1.EXE	svchost.com
PID 4592 wrote to memory of 1512	4592	3B1097~1.EXE	svchost.com
PID 4592 wrote to memory of 1512	4592	3B1097~1.EXE	svchost.com
PID 1512 wrote to memory of 4224	1512	svchost.com	3B1097~1.EXE
PID 1512 wrote to memory of 4224	1512	svchost.com	3B1097~1.EXE
PID 1512 wrote to memory of 4224	1512	svchost.com	3B1097~1.EXE
PID 4224 wrote to memory of 212	4224	3B1097~1.EXE	svchost.com
PID 4224 wrote to memory of 212	4224	3B1097~1.EXE	svchost.com
PID 4224 wrote to memory of 212	4224	3B1097~1.EXE	svchost.com
PID 212 wrote to memory of 2776	212	svchost.com	3B1097~1.EXE
PID 212 wrote to memory of 2776	212	svchost.com	3B1097~1.EXE
PID 212 wrote to memory of 2776	212	svchost.com	3B1097~1.EXE
PID 2776 wrote to memory of 552	2776	3B1097~1.EXE	svchost.com
PID 2776 wrote to memory of 552	2776	3B1097~1.EXE	svchost.com
PID 2776 wrote to memory of 552	2776	3B1097~1.EXE	svchost.com
PID 552 wrote to memory of 1516	552	svchost.com	3B1097~1.EXE
PID 552 wrote to memory of 1516	552	svchost.com	3B1097~1.EXE
PID 552 wrote to memory of 1516	552	svchost.com	3B1097~1.EXE
PID 1516 wrote to memory of 1296	1516	3B1097~1.EXE	svchost.com
PID 1516 wrote to memory of 1296	1516	3B1097~1.EXE	svchost.com
PID 1516 wrote to memory of 1296	1516	3B1097~1.EXE	svchost.com
PID 1296 wrote to memory of 388	1296	svchost.com	3B1097~1.EXE
PID 1296 wrote to memory of 388	1296	svchost.com	3B1097~1.EXE
PID 1296 wrote to memory of 388	1296	svchost.com	3B1097~1.EXE
PID 388 wrote to memory of 2664	388	3B1097~1.EXE	svchost.com
PID 388 wrote to memory of 2664	388	3B1097~1.EXE	svchost.com
PID 388 wrote to memory of 2664	388	3B1097~1.EXE	svchost.com
PID 2664 wrote to memory of 4540	2664	svchost.com	3B1097~1.EXE
PID 2664 wrote to memory of 4540	2664	svchost.com	3B1097~1.EXE
PID 2664 wrote to memory of 4540	2664	svchost.com	3B1097~1.EXE
PID 4540 wrote to memory of 3708	4540	3B1097~1.EXE	svchost.com
PID 4540 wrote to memory of 3708	4540	3B1097~1.EXE	svchost.com
PID 4540 wrote to memory of 3708	4540	3B1097~1.EXE	svchost.com
PID 3708 wrote to memory of 5096	3708	svchost.com	3B1097~1.EXE
PID 3708 wrote to memory of 5096	3708	svchost.com	3B1097~1.EXE
PID 3708 wrote to memory of 5096	3708	svchost.com	3B1097~1.EXE
PID 5096 wrote to memory of 3240	5096	3B1097~1.EXE	svchost.com
PID 5096 wrote to memory of 3240	5096	3B1097~1.EXE	svchost.com
PID 5096 wrote to memory of 3240	5096	3B1097~1.EXE	svchost.com
PID 3240 wrote to memory of 1132	3240	svchost.com	3B1097~1.EXE
PID 3240 wrote to memory of 1132	3240	svchost.com	3B1097~1.EXE
PID 3240 wrote to memory of 1132	3240	svchost.com	3B1097~1.EXE
PID 1132 wrote to memory of 1728	1132	3B1097~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\3b10978c0266d0ce9de63361b427117a.exe
"C:\Users\Admin\AppData\Local\Temp\3b10978c0266d0ce9de63361b427117a.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        24⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:452

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2376

C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4640
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
  2⤵
  - Executes dropped EXE
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
    3⤵
    - Executes dropped EXE
    PID:4832
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3412
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        6⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        7⤵
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        8⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        10⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        12⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        20⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        22⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        23⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        24⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        32⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        33⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        34⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        36⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        37⤵
        Checks computer location settings
        Modifies registry class
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        38⤵
        Drops file in Windows directory
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        39⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        41⤵
        
        PID:3492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        42⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        43⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        44⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        45⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        46⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        47⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        48⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        49⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        50⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        51⤵
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        52⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        53⤵
        Checks computer location settings
        
        PID:932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        54⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        55⤵
        Modifies registry class
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        56⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        57⤵
        
        PID:800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        58⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        59⤵
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        60⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        61⤵
        
        PID:3300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        62⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        63⤵
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        64⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        65⤵
        
        PID:3200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        66⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        67⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        68⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        70⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        71⤵
        Checks computer location settings
        Modifies registry class
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        72⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        73⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        74⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        75⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        76⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        77⤵
        Modifies registry class
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        78⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        79⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        80⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        81⤵
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        82⤵
        Drops file in Windows directory
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        83⤵
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        84⤵
        Drops file in Windows directory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        85⤵
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        86⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        87⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        88⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        89⤵
        Checks computer location settings
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        90⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        91⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        92⤵
        Drops file in Windows directory
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        93⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        94⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        95⤵
        Checks computer location settings
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        96⤵
        Drops file in Windows directory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        97⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        98⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        99⤵
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        100⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        101⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        102⤵
        Modifies registry class
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        103⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        104⤵
        Drops file in Windows directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        105⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        106⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        107⤵
        
        PID:3432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        108⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        109⤵
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        110⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        111⤵
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        112⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        113⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        114⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        115⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        116⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        117⤵
        Drops file in Windows directory
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        118⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        119⤵
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        120⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        121⤵
        
        PID:3548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        122⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        123⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        124⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        125⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        126⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        127⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        128⤵
        Drops file in Windows directory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        129⤵
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        130⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        131⤵
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        132⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        133⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        134⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        135⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        136⤵
        Drops file in Windows directory
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        137⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        138⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        139⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        140⤵
        
        PID:176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        141⤵
        Checks computer location settings
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        142⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        143⤵
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        144⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        145⤵
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        146⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        147⤵
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        148⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        149⤵
        Drops file in Windows directory
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        150⤵
        Checks computer location settings
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        151⤵
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        152⤵
        Modifies registry class
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        153⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        154⤵
        Checks computer location settings
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        155⤵
        Modifies registry class
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        156⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        157⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        158⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        159⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        160⤵
        Drops file in Windows directory
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        161⤵
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        162⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        163⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        164⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        165⤵
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        166⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        167⤵
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        168⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        169⤵
        Drops file in Windows directory
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        170⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        171⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        172⤵
        Drops file in Windows directory
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        173⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        174⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        175⤵
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        176⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        177⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        178⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        179⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        180⤵
        Drops file in Windows directory
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        181⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        182⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        183⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        184⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        185⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        186⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        187⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        188⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        189⤵
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        190⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        191⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        192⤵
        Drops file in Windows directory
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        193⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        194⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        195⤵
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        196⤵
        Drops file in Windows directory
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        197⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        198⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        199⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        200⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        201⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        202⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        203⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        204⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        205⤵
        Checks computer location settings
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        206⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        207⤵
        Modifies registry class
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        208⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        209⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        210⤵
        Drops file in Windows directory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        211⤵
        Checks computer location settings
        
        PID:4904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        212⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        213⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        214⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        215⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        216⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        217⤵
        Modifies registry class
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        218⤵
        Drops file in Windows directory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        219⤵
        
        PID:4232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        220⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        221⤵
        
        PID:3432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        222⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        223⤵
        Checks computer location settings
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        224⤵
        Drops file in Windows directory
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        225⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        226⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        227⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        228⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        229⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        230⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        231⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        232⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        233⤵
        Modifies registry class
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        234⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        235⤵
        Checks computer location settings
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        236⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        237⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        238⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        239⤵
        
        PID:3564
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        240⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        241⤵
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        242⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        243⤵
        Checks computer location settings
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        244⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        245⤵
        
        PID:4732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        246⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        247⤵
        
        PID:4280
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        248⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        249⤵
        Drops file in Windows directory
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        250⤵
        Drops file in Windows directory
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        251⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        252⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        253⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        254⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        255⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        256⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        257⤵
        Modifies registry class
        
        PID:176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        258⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        259⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        260⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        261⤵
        Checks computer location settings
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        262⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        263⤵
        Modifies registry class
        
        PID:3856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE"
        264⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3B1097~1.EXE
        265⤵
        
        PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
471811cb30f5b707e1cb8d898ab9dd85

SHA1
d27a6db0457555ad5187eab3438073eb1034418e

SHA256
f4609ed3168deec3c6150a064956ce61bea6e18c746e55ca0b032ba56fc1f75c

SHA512
118f658797e84b08dd5495406ebb1c0dec96833ddbfe189777640085ddc47c3a943c2effed4273f4fec679269d1849ff9cd54bb31a1abb632438225cfca9af29

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
507KB

MD5
5e6a868a68e9773762f69a8ff5b31aec

SHA1
89e35086845e3f0318651eaf17cd582c83801b89

SHA256
9c37d3f5a2a2585b7944179a7aec31c53b313877be0928267b176a3193c246ac

SHA512
9dbf59e29e547b56ff1a3e4c40ffb5b437682cb15c9b4c3f1ef4ce63fd4eaa827dd71c44b5cf695943ad0392f0486ffec0cdcc1819417422a5644a1dcd936c5a

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE

Filesize
138KB

MD5
0f9222b31afbadee281b893446813533

SHA1
a028ef6853444c019ec37fb1f73c7b6ca25c4103

SHA256
c7357117d3ae8748077316914f5c5e5bab8ac960caf8287feaf5eab37e3a3031

SHA512
6599b3cce9d04f6c93d7e670693fa9768df365b30e9ea5abc07459643247256276027c17b89d9a23186f36eaa4865f75f62a0dd902102ac1f306f50a8574c0ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE

Filesize
288KB

MD5
633b0a088914283675e37864ecb6b293

SHA1
c697ddc27aa0cd19ddf9a762b3cb3fb956d19456

SHA256
b40dac0e9e9b60d6ff5a695302674130ddc14300693dce379aba03fba7f5014c

SHA512
16792c2611c4d7f6ed24a5a49dd6a8d32358bc74f2f063a3f526763e5af9018fe81b4486aa8ee39ca6e0163e9d9820ce6f073c443d9608028a1ca7152e1c49ee

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE

Filesize
1.5MB

MD5
e99db3da42bf45a23b960f47225db28b

SHA1
e2df8cf4ae9700d7f704d13865843af179ad6299

SHA256
cbe928e3cd3238367a841920f92a1ee6f991e6b44f75d23641aa8ea5ebcbcb6f

SHA512
aba88ff99415a949e7e553df8b2e8d481b2dd00642f8ed16057ea07cebe5169388a984b59efbfbad3292822ffa59f424115949d1c8e8c0299311c38842560674

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
380d6bf6345e63b70140beb7364b0b15

SHA1
ee14f61511dbc7d9b6920f1c78c8a57709931ed7

SHA256
162fa0da2e043f0939b8956baf4ed10e71390c2c0574ac94516b64636bcbb0f5

SHA512
7ee6644ddfce7a25fdc5164ae622264965d783b634c675043caf9ca9efbbb0898f753745b334cf6632d69f2482f59043936a904e445e33d8a7c8952d8d95fa51

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
546KB

MD5
f73046d4899117b442abd803f5cd6507

SHA1
3a52570806d17e2c4dff8018427f2051fbbbba19

SHA256
58b45d5a3121efb173da74c60542b657eb7a82d70d495e9066dae8e5acc843a7

SHA512
56cac563b7caf1f38ca4134bd8ef668e1078d1c255a2ec129a41dcc8687bf6d93b29c59293a2534fce8772043b0ad8f4edb66c5ab0c06d55767744f110690940

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
546KB

MD5
f73046d4899117b442abd803f5cd6507

SHA1
3a52570806d17e2c4dff8018427f2051fbbbba19

SHA256
58b45d5a3121efb173da74c60542b657eb7a82d70d495e9066dae8e5acc843a7

SHA512
56cac563b7caf1f38ca4134bd8ef668e1078d1c255a2ec129a41dcc8687bf6d93b29c59293a2534fce8772043b0ad8f4edb66c5ab0c06d55767744f110690940

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3b10978c0266d0ce9de63361b427117a.exe

Filesize
510KB

MD5
38eb749b93dc7804ac768d060b406690

SHA1
b31482ddf2281b561bb23cb41bd3a81b863cc19d

SHA256
8b92575ff24cf6cfd055b72d24fda2cb39dd0e40f2d95ecc6026c2b0394f8f33

SHA512
ad1ad7154c67d4a75f7ad8568b3aa2e0603c5e2155be887951e98b619c26012cc3587948452f9ce514b8d37c421746f20c22fcf699d7f18f7a6ee81b772facf3

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
bdb2ff49da0a5710dcf2dc9499cabac4

SHA1
9a32b64b192b26248382d9efc255e323591a8968

SHA256
d7252262377f60e4f8deb152cc96871377c1ff5e2b76ece3d7cfab6df8415ced

SHA512
82a261ed14da6d32420ed346072119e02c7662c2b7e76b7b0b470309bf70436ca714a01649c8509c9681e0e3d3e8576d711253deefff89db7c6042917e80cfb2

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8d0bac1e4efc9878520f3ccce9cfe7af

SHA1
97533a9fe1bb70a09b9f009d4354a930f32aed71

SHA256
a2fb3511b9673fd1b6314efc01155a97a63bb6276d85e1439d1fdae2250a46a6

SHA512
50004e8bf7567e01fa088ffae6e2150b08c6f6e39668c1e47c7b39a2d1c989ec0e7364f68f8b67a6d1a63783c118bc6f3d6fb0043ff1d57dcf3edc8e588bfa40

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.2MB

MD5
4cb711ad8a1301936abd7af3eeb155da

SHA1
e736cfa0665a2d3af93dcefd7dc76bb725418573

SHA256
d6a8a3b9d1086e7d058b2cd1762223c1976815591f83542dab07dfc3d8f86323

SHA512
bc6b6d73aab7102bf93de0270bbb1bac5930314c2bc75f669d83010acf81ca822a67156fa055234e2021f9f3769c9fce9907bc189f753ad7e78850758e684960

Download Submit
C:\odt\office2016setup.exe

Filesize
5.2MB

MD5
bbc9d21bf2a4ef1435666f34cb1c3e9b

SHA1
37aa838e54caf298b3a0028ca4e18ca4750afc56

SHA256
b897e1593a6e21c111f19dd582f5f8bc8746d10b96bffba1b2f45913df40ee8f

SHA512
6e1e77acdc60d1550d6cdc0707e40604aa0101aa1dee3930e096dc6292a745cf88f4a01e2d3a3c8da2a2e8f87793421ece1d0f645a57c4c4117788accd181b9b

Download Submit
memory/212-165-0x0000000000000000-mapping.dmp

Download
memory/388-186-0x0000000000000000-mapping.dmp

Download
memory/452-227-0x0000000000000000-mapping.dmp

Download
memory/552-171-0x0000000000000000-mapping.dmp

Download
memory/772-253-0x0000000000000000-mapping.dmp

Download
memory/1056-245-0x0000000000000000-mapping.dmp

Download
memory/1132-208-0x0000000000000000-mapping.dmp

Download
memory/1296-182-0x0000000000000000-mapping.dmp

Download
memory/1452-250-0x0000000000000000-mapping.dmp

Download
memory/1484-247-0x0000000000000000-mapping.dmp

Download
memory/1512-159-0x0000000000000000-mapping.dmp

Download
memory/1516-174-0x0000000000000000-mapping.dmp

Download
memory/1520-251-0x0000000000000000-mapping.dmp

Download
memory/1728-220-0x0000000000000000-mapping.dmp

Download
memory/1808-235-0x0000000000000000-mapping.dmp

Download
memory/2016-255-0x0000000000000000-mapping.dmp

Download
memory/2228-243-0x0000000000000000-mapping.dmp

Download
memory/2376-152-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2376-268-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2424-240-0x0000000000000000-mapping.dmp

Download
memory/2480-263-0x0000000000000000-mapping.dmp

Download
memory/2556-265-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2664-188-0x0000000000000000-mapping.dmp

Download
memory/2724-254-0x0000000000000000-mapping.dmp

Download
memory/2776-168-0x0000000000000000-mapping.dmp

Download
memory/3132-252-0x0000000000000000-mapping.dmp

Download
memory/3148-260-0x0000000000000000-mapping.dmp

Download
memory/3172-241-0x0000000000000000-mapping.dmp

Download
memory/3200-261-0x0000000000000000-mapping.dmp

Download
memory/3240-204-0x0000000000000000-mapping.dmp

Download
memory/3292-150-0x0000000000000000-mapping.dmp

Download
memory/3412-232-0x0000000000000000-mapping.dmp

Download
memory/3424-233-0x0000000000000000-mapping.dmp

Download
memory/3432-153-0x0000000000000000-mapping.dmp

Download
memory/3548-249-0x0000000000000000-mapping.dmp

Download
memory/3564-264-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3692-237-0x0000000000000000-mapping.dmp

Download
memory/3708-194-0x0000000000000000-mapping.dmp

Download
memory/3712-224-0x0000000000000000-mapping.dmp

Download
memory/3960-262-0x0000000000000000-mapping.dmp

Download
memory/4020-140-0x0000000000000000-mapping.dmp

Download
memory/4076-222-0x0000000000000000-mapping.dmp

Download
memory/4092-231-0x0000000000000000-mapping.dmp

Download
memory/4128-146-0x0000000000000000-mapping.dmp

Download
memory/4140-242-0x0000000000000000-mapping.dmp

Download
memory/4156-236-0x0000000000000000-mapping.dmp

Download
memory/4220-229-0x0000000000000000-mapping.dmp

Download
memory/4224-163-0x0000000000000000-mapping.dmp

Download
memory/4280-225-0x0000000000000000-mapping.dmp

Download
memory/4280-266-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4456-234-0x0000000000000000-mapping.dmp

Download
memory/4540-248-0x0000000000000000-mapping.dmp

Download
memory/4540-192-0x0000000000000000-mapping.dmp

Download
memory/4548-238-0x0000000000000000-mapping.dmp

Download
memory/4592-157-0x0000000000000000-mapping.dmp

Download
memory/4624-267-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4640-228-0x0000000000000000-mapping.dmp

Download
memory/4648-244-0x0000000000000000-mapping.dmp

Download
memory/4732-256-0x0000000000000000-mapping.dmp

Download
memory/4764-223-0x0000000000000000-mapping.dmp

Download
memory/4772-239-0x0000000000000000-mapping.dmp

Download
memory/4800-144-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4800-139-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4800-135-0x0000000000000000-mapping.dmp

Download
memory/4808-226-0x0000000000000000-mapping.dmp

Download
memory/4816-259-0x0000000000000000-mapping.dmp

Download
memory/4832-230-0x0000000000000000-mapping.dmp

Download
memory/4888-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4888-132-0x0000000000000000-mapping.dmp

Download
memory/5020-258-0x0000000000000000-mapping.dmp

Download
memory/5072-257-0x0000000000000000-mapping.dmp

Download
memory/5096-197-0x0000000000000000-mapping.dmp

Download
memory/5100-246-0x0000000000000000-mapping.dmp

Download