neshta | 1d6c8100dff3e2e28678a0c696811df9a819638d20e60f503aa67fc999517a85

Resubmissions

29-11-2024 09:10

241129-k5ajmsslgj 10

30-12-2023 18:56

231230-xlfb1abgck 10

Analysis

max time kernel
127s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386f41476b4e6f9d55fb0c3de0d89259.exe
Size

2.9MB
MD5

386f41476b4e6f9d55fb0c3de0d89259
SHA1

bd24870be3930ccd5d7920d81354585bca9e9b38
SHA256

1d6c8100dff3e2e28678a0c696811df9a819638d20e60f503aa67fc999517a85
SHA512

bb18b990bd2234b20bc5a5ad27a3d310947a7dd5b2f2d5983371435c00598e439af46594aadbf76231538713eed14ee3a675ce91ce472082ad1de4a34eee0085
SSDEEP

49152:jHyjtk2MYC5GDZHyjtk2MYC5GDhnJfwQDBBvURFuukUjez+PpQRqs3+n+n9:jmtk2aQmtk2awnJIAuDcUjeCBQRqs3+2

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 25 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x002e00000001420d-9.dat	family_neshta
behavioral1/files/0x002e00000001420d-2.dat	family_neshta
behavioral1/files/0x000100000001031d-14.dat	family_neshta
behavioral1/files/0x000100000000f780-118.dat	family_neshta
behavioral1/files/0x000100000000f87c-144.dat	family_neshta
behavioral1/files/0x0001000000011a1f-157.dat	family_neshta
behavioral1/memory/640-171-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2036-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1660-229-0x0000000000400000-0x00000000004A8000-memory.dmp	family_neshta
behavioral1/memory/2692-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2956-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2976-312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3020-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2900-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/472-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2836-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-351-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1968-383-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1960-404-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1956-397-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2536-415-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2344-423-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1164-431-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2576-444-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2952-452-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

C:\Users\Admin\AppData\Local\Temp\386f41476b4e6f9d55fb0c3de0d89259.exe
"C:\Users\Admin\AppData\Local\Temp\386f41476b4e6f9d55fb0c3de0d89259.exe"
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\3582-490\386f41476b4e6f9d55fb0c3de0d89259.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\386f41476b4e6f9d55fb0c3de0d89259.exe"
  2⤵
  PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
1⤵
PID:2632
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2576
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:2096
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:1432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        9⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        9⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        9⤵
        
        PID:2468

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
1⤵
PID:2324
- C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
  "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
  2⤵
  PID:776
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  PID:624

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
  "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
  2⤵
  PID:3032
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
    3⤵
    PID:2692

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:3020

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2836
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2528

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1564
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:776
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:624
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2728

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1484
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2952

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:284

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2912
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2568

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2388
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1600

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
  2⤵
  PID:1512
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
      4⤵
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        5⤵
        
        PID:2192
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        6⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        7⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        8⤵
        
        PID:3012
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2388
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        5⤵
        
        PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:920
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1104

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1968
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2216
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:1756
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2920

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1864
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1500

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:828
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2540

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1620
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1936
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1436
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:1460
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:872
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:1456
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:940
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2388
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:828
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:548
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:2592
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2420
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1644
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:1876
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:2936
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:1500
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1532
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2420

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2908
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2800
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:1048
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2936
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        5⤵
        
        PID:2212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:896
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:1624
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:2972

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2868
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:2040
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        9⤵
        
        PID:2756
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1672
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2320
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2556

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1544
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:2336
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1976
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:796
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:900
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        5⤵
        
        PID:1744
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        6⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        7⤵
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        8⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        9⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        10⤵
        
        PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:584
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
    3⤵
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
      4⤵
      PID:2912
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        5⤵
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        7⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        8⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        9⤵
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        6⤵
        
        PID:1480

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1056
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:1588
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
      4⤵
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        5⤵
        
        PID:1476
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        6⤵
        
        PID:1876
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
    3⤵
    PID:304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:3004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:2308

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1096
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
1⤵
PID:1448
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
  2⤵
  PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
1⤵
PID:2124
- C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
  2⤵
  PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
171KB

MD5
aff832f073e215af6731722c6e3380f5

SHA1
8d69a17cc17e40809f957e9f8ee4fd236cc50257

SHA256
ab35362bed33caffd5342944e672e58cc45eadcfab20809ec0c4a2def50e3722

SHA512
7a7cc1cacdf2ace1e31cc585c3010f38fdad16f31b9b7a5757407a5aa729aac671e6cdbede31306935bf2158e93486c2ff3aaeddebf5006c77e65241f65d2359

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
232KB

MD5
4f92ea512a03f591085678495646fc0a

SHA1
a62eb7b2e5669b49dfa429bdb2daebb5eee7bbba

SHA256
b586b10437e3dfefa895ffc026aab721f331bb33e5a36d49ce1a4b096bfe9edc

SHA512
fa648417e70c7bbd7425b5292cf0b72cb82360ac1daa541e6e426d4ed5d4f7bc2d1c56b588cb9f4dd11c329eb9eb97379b86e0cf4113cc9d4781370003dac82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\386f41476b4e6f9d55fb0c3de0d89259.exe

Filesize
92KB

MD5
ddca7e01be57af62b4594d34e86c9165

SHA1
44ddd0c7ea66a2756d450aeb6e01e338fef5bf39

SHA256
c8b46d56072deeaefc50456aa026531fcd707aa7713ee9607d5123a4299cb9ca

SHA512
3f1df0da7ebfff5374430639564c687e49a02333b3f6493abb85e42bec71a52ff8da5d833db9f7c180043bc011872e49256e3841e6e3d7a49b1c9a50bd04fbb3

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8e4bd9619c227ef2bc20a2cb2aa55e7b

SHA1
a6214b7678b83c4db74b210625b4812300df3a74

SHA256
84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

SHA512
12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\386f41476b4e6f9d55fb0c3de0d89259.exe

Filesize
94KB

MD5
43845c2755d9e944d43987f843081e6d

SHA1
fee9e3dbba763a3d0366b41e40051204a4c66910

SHA256
0ed13537d13f2dd2c001542db1d3b979445b1844a2ac47494b469ffafb4661a3

SHA512
482be4aa12a19a8b9ac624b9414bbfbd327c2c2c9112bb280b23fa2f83bf9fdf3f5ebcb226464ad3ce59fd8faacbbd004aa109dfcd00ba3e83797cbd8caa6d1f

Download Submit
memory/332-302-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/472-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-258-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/624-244-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/640-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/776-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/856-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-480-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1164-431-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-430-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1540-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1660-229-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1932-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-322-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1956-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1960-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-460-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2016-451-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2036-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-241-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2324-168-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2344-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2536-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-279-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2576-444-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-66-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2632-52-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2636-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2680-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2692-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-455-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-443-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-452-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2976-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-91-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3000-188-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/3020-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3052-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download