neshta | 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Size

174KB
MD5

46d423d2735e9147843a59d4c88cf0b0
SHA1

49ec9da7c7ffdd3acbb623ab811ec1534985cc86
SHA256

56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44
SHA512

5e080c3380612a4ab2e079198d53c36af909575e64f04ed79ca8b1c709793c165a49ece9887f876f06c98b5f45df366a7d617260a623ceaa477170df141366de
SSDEEP

3072:sr85CkKi0n88LmIfVJY/trRoWNLUa7NQa6qzTf0r85C:k9k5imIfAlCWNL3QOfs9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000900000002270d-4.dat	family_neshta
behavioral2/files/0x000900000002270d-8.dat	family_neshta
behavioral2/files/0x000900000002270d-6.dat	family_neshta
behavioral2/files/0x000900000002270d-17.dat	family_neshta
behavioral2/files/0x00070000000231fd-19.dat	family_neshta
behavioral2/memory/5060-18-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000900000002270d-28.dat	family_neshta
behavioral2/memory/3828-29-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2548-34-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000900000002270d-53.dat	family_neshta
behavioral2/memory/3644-46-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000900000002270d-65.dat	family_neshta
behavioral2/memory/1268-70-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000900000002270d-77.dat	family_neshta
behavioral2/files/0x000900000002270d-89.dat	family_neshta
behavioral2/files/0x000900000002270d-124.dat	family_neshta
behavioral2/memory/4368-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1688-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000900000002270d-136.dat	family_neshta
behavioral2/files/0x000100000002130d-151.dat	family_neshta
behavioral2/memory/4896-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000167ca-193.dat	family_neshta
behavioral2/files/0x000100000001e731-221.dat	family_neshta
behavioral2/memory/4392-236-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4152-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3644-259-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4260-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1640-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3720-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1980-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2884-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4168-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4368-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2040-308-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1064-310-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4548-323-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1364-324-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3584-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5108-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1504-347-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2796-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4040-363-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4344-356-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2680-364-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2200-366-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1320-372-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4000-379-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3552-380-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2928-382-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2352-390-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2404-398-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1980-396-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3720-388-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-348-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3828-340-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4924-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4912-406-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3464-414-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1348-422-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5060-435-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3016-428-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4920-420-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4368-412-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2884-404-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	56BB21~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
3516	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
5060	svchost.com
3828	56BB21~1.EXE
3836	svchost.com
2548	56BB21~1.EXE
2796	svchost.com
3644	56BB21~1.EXE
2276	svchost.com
4000	56BB21~1.EXE
3600	svchost.com
1268	56BB21~1.EXE
3552	svchost.com
1772	56BB21~1.EXE
4016	svchost.com
4368	56BB21~1.EXE
1688	svchost.com
3008	56BB21~1.EXE
1364	svchost.com
4896	56BB21~1.EXE
3332	svchost.com
4392	56BB21~1.EXE
3956	svchost.com
4152	56BB21~1.EXE
3644	svchost.com
4260	56BB21~1.EXE
4552	svchost.com
1640	56BB21~1.EXE
3720	svchost.com
1980	56BB21~1.EXE
848	svchost.com
2884	56BB21~1.EXE
4168	svchost.com
4368	56BB21~1.EXE
2040	svchost.com
1064	56BB21~1.EXE
4780	svchost.com
4548	56BB21~1.EXE
1364	svchost.com
3584	56BB21~1.EXE
4924	svchost.com
5108	56BB21~1.EXE
3828	svchost.com
1504	56BB21~1.EXE
116	svchost.com
2796	56BB21~1.EXE
4344	svchost.com
4040	56BB21~1.EXE
2680	svchost.com
2200	56BB21~1.EXE
1320	svchost.com
4000	56BB21~1.EXE
3552	svchost.com
2928	56BB21~1.EXE
3720	svchost.com
2352	56BB21~1.EXE
1980	svchost.com
2404	56BB21~1.EXE
2884	svchost.com
4912	56BB21~1.EXE
4368	svchost.com
3464	56BB21~1.EXE
4920	svchost.com
1348	56BB21~1.EXE
3016	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	56BB21~1.EXE
File opened for modification	C:\Windows\directx.sys	56BB21~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	56BB21~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3516	1924	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	90
PID 1924 wrote to memory of 3516	1924	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	90
PID 1924 wrote to memory of 3516	1924	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	90
PID 3516 wrote to memory of 5060	3516	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	155
PID 3516 wrote to memory of 5060	3516	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	155
PID 3516 wrote to memory of 5060	3516	56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe	155
PID 5060 wrote to memory of 3828	5060	svchost.com	414
PID 5060 wrote to memory of 3828	5060	svchost.com	414
PID 5060 wrote to memory of 3828	5060	svchost.com	414
PID 3828 wrote to memory of 3836	3828	56BB21~1.EXE	157
PID 3828 wrote to memory of 3836	3828	56BB21~1.EXE	157
PID 3828 wrote to memory of 3836	3828	56BB21~1.EXE	157
PID 3836 wrote to memory of 2548	3836	svchost.com	95
PID 3836 wrote to memory of 2548	3836	svchost.com	95
PID 3836 wrote to memory of 2548	3836	svchost.com	95
PID 2548 wrote to memory of 2796	2548	56BB21~1.EXE	96
PID 2548 wrote to memory of 2796	2548	56BB21~1.EXE	96
PID 2548 wrote to memory of 2796	2548	56BB21~1.EXE	96
PID 2796 wrote to memory of 3644	2796	svchost.com	114
PID 2796 wrote to memory of 3644	2796	svchost.com	114
PID 2796 wrote to memory of 3644	2796	svchost.com	114
PID 3644 wrote to memory of 2276	3644	56BB21~1.EXE	98
PID 3644 wrote to memory of 2276	3644	56BB21~1.EXE	98
PID 3644 wrote to memory of 2276	3644	56BB21~1.EXE	98
PID 2276 wrote to memory of 4000	2276	svchost.com	99
PID 2276 wrote to memory of 4000	2276	svchost.com	99
PID 2276 wrote to memory of 4000	2276	svchost.com	99
PID 4000 wrote to memory of 3600	4000	56BB21~1.EXE	100
PID 4000 wrote to memory of 3600	4000	56BB21~1.EXE	100
PID 4000 wrote to memory of 3600	4000	56BB21~1.EXE	100
PID 3600 wrote to memory of 1268	3600	svchost.com	101
PID 3600 wrote to memory of 1268	3600	svchost.com	101
PID 3600 wrote to memory of 1268	3600	svchost.com	101
PID 1268 wrote to memory of 3552	1268	56BB21~1.EXE	402
PID 1268 wrote to memory of 3552	1268	56BB21~1.EXE	402
PID 1268 wrote to memory of 3552	1268	56BB21~1.EXE	402
PID 3552 wrote to memory of 1772	3552	svchost.com	404
PID 3552 wrote to memory of 1772	3552	svchost.com	404
PID 3552 wrote to memory of 1772	3552	svchost.com	404
PID 1772 wrote to memory of 4016	1772	56BB21~1.EXE	446
PID 1772 wrote to memory of 4016	1772	56BB21~1.EXE	446
PID 1772 wrote to memory of 4016	1772	56BB21~1.EXE	446
PID 4016 wrote to memory of 4368	4016	svchost.com	427
PID 4016 wrote to memory of 4368	4016	svchost.com	427
PID 4016 wrote to memory of 4368	4016	svchost.com	427
PID 4368 wrote to memory of 1688	4368	56BB21~1.EXE	106
PID 4368 wrote to memory of 1688	4368	56BB21~1.EXE	106
PID 4368 wrote to memory of 1688	4368	56BB21~1.EXE	106
PID 1688 wrote to memory of 3008	1688	svchost.com	434
PID 1688 wrote to memory of 3008	1688	svchost.com	434
PID 1688 wrote to memory of 3008	1688	svchost.com	434
PID 3008 wrote to memory of 1364	3008	56BB21~1.EXE	485
PID 3008 wrote to memory of 1364	3008	56BB21~1.EXE	485
PID 3008 wrote to memory of 1364	3008	56BB21~1.EXE	485
PID 1364 wrote to memory of 4896	1364	svchost.com	109
PID 1364 wrote to memory of 4896	1364	svchost.com	109
PID 1364 wrote to memory of 4896	1364	svchost.com	109
PID 4896 wrote to memory of 3332	4896	56BB21~1.EXE	110
PID 4896 wrote to memory of 3332	4896	56BB21~1.EXE	110
PID 4896 wrote to memory of 3332	4896	56BB21~1.EXE	110
PID 3332 wrote to memory of 4392	3332	svchost.com	489
PID 3332 wrote to memory of 4392	3332	svchost.com	489
PID 3332 wrote to memory of 4392	3332	svchost.com	489
PID 4392 wrote to memory of 3956	4392	56BB21~1.EXE	112

C:\Users\Admin\AppData\Local\Temp\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
"C:\Users\Admin\AppData\Local\Temp\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        66⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        67⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        68⤵
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        69⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        70⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        71⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        72⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        73⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        74⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        75⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        76⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        77⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        78⤵
        Checks computer location settings
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        80⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        81⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        82⤵
        Drops file in Windows directory
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        83⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        84⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        85⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        86⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        87⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        89⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        90⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        91⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        92⤵
        Drops file in Windows directory
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        93⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        94⤵
        
        PID:3332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        95⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        96⤵
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        97⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        98⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        100⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        101⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        102⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        103⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        104⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        105⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        106⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        107⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        108⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        109⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        110⤵
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        111⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        112⤵
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        113⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        114⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        115⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        116⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        117⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        118⤵
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        119⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        120⤵
        
        PID:4920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        121⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        122⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        123⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        124⤵
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        125⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        126⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        127⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        128⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        129⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        130⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        132⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        133⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        134⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        135⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        136⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        137⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        138⤵
        
        PID:64
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        140⤵
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        141⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        142⤵
        Modifies registry class
        
        PID:3144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        143⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        144⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        145⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        146⤵
        Checks computer location settings
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        148⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        149⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        150⤵
        Checks computer location settings
        
        PID:4416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        151⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        152⤵
        Modifies registry class
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        153⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        154⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        155⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        156⤵
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        157⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        158⤵
        Checks computer location settings
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        159⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        160⤵
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        161⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        162⤵
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        163⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        164⤵
        Checks computer location settings
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        165⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        166⤵
        Drops file in Windows directory
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        167⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        168⤵
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        169⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        170⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        171⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        172⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        173⤵
        Drops file in Windows directory
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        174⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        175⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        176⤵
        Checks computer location settings
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        178⤵
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        180⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        181⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        182⤵
        
        PID:3268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        183⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        184⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        185⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        186⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        187⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        188⤵
        Modifies registry class
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        189⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        190⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        191⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        192⤵
        
        PID:4388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        193⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        194⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        195⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        196⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        197⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        198⤵
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        199⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        200⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        201⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        202⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        204⤵
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        205⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        206⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        207⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        208⤵
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        209⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        210⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        211⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        212⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        213⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        214⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        215⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        216⤵
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        217⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        219⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        220⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        222⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        223⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        224⤵
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        225⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        226⤵
        Modifies registry class
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        227⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        228⤵
        Checks computer location settings
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        229⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        230⤵
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        231⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        232⤵
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        233⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        234⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        235⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        236⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        237⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        238⤵
        Checks computer location settings
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        239⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        240⤵
        Drops file in Windows directory
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        241⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        242⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        243⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        244⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        245⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        246⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        247⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        248⤵
        Checks computer location settings
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        249⤵
        Drops file in Windows directory
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        250⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        251⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        252⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        253⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        254⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        255⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        256⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        257⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        258⤵
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        259⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        260⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        261⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        262⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        263⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        264⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        265⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        266⤵
        
        PID:3268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        267⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        268⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        270⤵
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        271⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        272⤵
        
        PID:728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        273⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        274⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        275⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        276⤵
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        277⤵
        Drops file in Windows directory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        278⤵
        
        PID:3736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        279⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        280⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        281⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        282⤵
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        283⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        284⤵
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        285⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        286⤵
        Modifies registry class
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        287⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        288⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        289⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        290⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        291⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        292⤵
        Checks computer location settings
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        293⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        294⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        295⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        296⤵
        Checks computer location settings
        
        PID:3316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        297⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        298⤵
        Modifies registry class
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        299⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        300⤵
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        301⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        302⤵
        Modifies registry class
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        303⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        304⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        305⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        306⤵
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        307⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        308⤵
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        309⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        310⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        311⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        312⤵
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        313⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        314⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        315⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        316⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        317⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        318⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        319⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        321⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        322⤵
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        323⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        324⤵
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        325⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        326⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        327⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        328⤵
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        329⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        330⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        331⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        332⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        333⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        334⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        335⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        336⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        337⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        338⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        339⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        340⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        341⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        342⤵
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        343⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        344⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        345⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        346⤵
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        347⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        348⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        349⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        350⤵
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        351⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        352⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        353⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        354⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        355⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        356⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        357⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        358⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        359⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        360⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        361⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        362⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        363⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        364⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        365⤵
        Drops file in Windows directory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        366⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        367⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        368⤵
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        369⤵
        Drops file in Windows directory
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        370⤵
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        371⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        372⤵
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        373⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        374⤵
        Modifies registry class
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        375⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        376⤵
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        377⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        378⤵
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        379⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        380⤵
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        381⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        382⤵
        Modifies registry class
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        383⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        384⤵
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        385⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        386⤵
        Checks computer location settings
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        387⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        388⤵
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        389⤵
        Drops file in Windows directory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        390⤵
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        391⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        392⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        393⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        394⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        395⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        396⤵
        Checks computer location settings
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        397⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        398⤵
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        399⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        400⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        401⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        402⤵
        Checks computer location settings
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        403⤵
        Drops file in Windows directory
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        404⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        405⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        406⤵
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        407⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        408⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        409⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        410⤵
        Modifies registry class
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        411⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        412⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        413⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        414⤵
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        415⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        416⤵
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        417⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        418⤵
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        419⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        420⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        421⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        422⤵
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        423⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        424⤵
        Checks computer location settings
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        425⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        426⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        427⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        428⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        429⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        430⤵
        Drops file in Windows directory
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        431⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        432⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        433⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        434⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        435⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        436⤵
        Drops file in Windows directory
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        437⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        438⤵
        Checks computer location settings
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        439⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        440⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        441⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        442⤵
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        443⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        444⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        445⤵
        Drops file in Windows directory
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        446⤵
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        447⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        448⤵
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        449⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        450⤵
        Modifies registry class
        
        PID:3516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        451⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        452⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        453⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        454⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        455⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        456⤵
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        457⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        458⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        459⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        460⤵
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        461⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        462⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        463⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        464⤵
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        465⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        466⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        467⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        468⤵
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        469⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        470⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        471⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        472⤵
        Checks computer location settings
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        473⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        474⤵
        Modifies registry class
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        475⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        476⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        477⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        478⤵
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        479⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        480⤵
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        481⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        482⤵
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        483⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        484⤵
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        485⤵
        Drops file in Windows directory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        486⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        487⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        488⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        489⤵
        Drops file in Windows directory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        490⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        491⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        492⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        493⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        494⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        495⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        496⤵
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        497⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        498⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        499⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        500⤵
        Checks computer location settings
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        501⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        502⤵
        Checks computer location settings
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        503⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        504⤵
        Checks computer location settings
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        505⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        506⤵
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        507⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        508⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        509⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        510⤵
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        511⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        512⤵
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        513⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        514⤵
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        515⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        516⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        517⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        518⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        519⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        520⤵
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        521⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        522⤵
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        523⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        524⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        525⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        526⤵
        Modifies registry class
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        527⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        528⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        529⤵
        Drops file in Windows directory
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        530⤵
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        531⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        532⤵
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        533⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        534⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        535⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        536⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        537⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        538⤵
        Drops file in Windows directory
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        539⤵
        Drops file in Windows directory
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        540⤵
        Modifies registry class
        
        PID:3916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        541⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        542⤵
        Checks computer location settings
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        543⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        544⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        545⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        546⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        547⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        548⤵
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        549⤵
        Drops file in Windows directory
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        550⤵
        Modifies registry class
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        551⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        552⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        553⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        554⤵
        Modifies registry class
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        555⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        556⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        557⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        558⤵
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        559⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        560⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        561⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        562⤵
        
        PID:4200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        563⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        564⤵
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        565⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        566⤵
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        567⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        568⤵
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        569⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        570⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        571⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        572⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        573⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        574⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        575⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        576⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        577⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        578⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        579⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        580⤵
        Checks computer location settings
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        581⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        582⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        583⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        584⤵
        Drops file in Windows directory
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        585⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        586⤵
        Checks computer location settings
        
        PID:4200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        587⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        588⤵
        
        PID:3480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        589⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        590⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        591⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        592⤵
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        593⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        594⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        595⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        596⤵
        Checks computer location settings
        
        PID:1448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        597⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        598⤵
        Checks computer location settings
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        599⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        600⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        601⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        602⤵
        Modifies registry class
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        603⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        604⤵
        Modifies registry class
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        605⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        606⤵
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        607⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        608⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        609⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        610⤵
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        611⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        612⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        613⤵
        Drops file in Windows directory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        614⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        615⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        616⤵
        Drops file in Windows directory
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        617⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        618⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        619⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        620⤵
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        621⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        622⤵
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        623⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        624⤵
        
        PID:3532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        625⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        626⤵
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        627⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        628⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        629⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        630⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        631⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        632⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        633⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        634⤵
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"
        635⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE
        636⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        637⤵
        
        PID:3652

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:8

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv meknDdkVeEar1LSWKaY17Q.0.2
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4904

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1924

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
50KB

MD5
986bff4aff6f66e91ace4e5fb3270e8b

SHA1
a952a6251ddd6af4f26318c0781d87c53697ec0b

SHA256
d957f9207f69e857e5b2a6188699e3d6a509b21ff15c14b432291ec77bbfed05

SHA512
ef7a1121daa89682cca834951e8113f36ce7f1aa588dfdd4ac87e44063476cf603239346916dcc44a8feca7b17a6acd1778193ab22dd9ca95a41d2ae9de92bcc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
479KB

MD5
02d3c32bc62ebf875e3b7afe8c987678

SHA1
78895bc848f20ea7700fc5559d802c430be1b2bc

SHA256
b7374a93e027f2301bc3b8371ebd9fb1b28130ee987bf812bd3bf681f9d321d9

SHA512
643e6dfcd2bf5d907923574c13f7e8b892ffd71115134d2bf2f8e713020c2ac19ca8070440b6956fe90ef5c5c0d042abe07c4cbd61218bfaf3e14d4b5d402d58

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE

Filesize
139KB

MD5
147b5ade315673b925bdd21eba5d9732

SHA1
212b9882f166b187ef578298ee4bfdd174529115

SHA256
d49c72831f1b505b1846b23c3bf836219e27ea69e8fd43e8e4ca3ead7601252b

SHA512
7bb8186c67a20471d54fd37f3db55edaf86cdb34861359df092e1251ccadb80e2a71197304d192ccb5df0111676017be6823fd85617fefcb366ac405878caab0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE

Filesize
282KB

MD5
0275a987cc74d5fdf7eeba36db4730d3

SHA1
96160f4a7cd6da92538e834053c03d24d52455e5

SHA256
ac14875f82cec7d2fd1e200df6623366e7435323f323599c13328f40770f7575

SHA512
9976c5f0d75421e7dbcf290946bf5e71dbf75a7e67c973b8e564076e39edcb2ea74ad6fc9f48a238830ffaaec2e3d689583d2652678238b9a0187e675b90791d

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE

Filesize
67KB

MD5
91c3c268296558de38b2d0f687b08e8e

SHA1
c71396d6a4658ae0cddef889739823a39f8c3884

SHA256
3d89d3923ddab22a415e0fcb87cf0ff4576c3c6783c9a50486ca940b39732ccd

SHA512
46f0a6e7c580fa0f90e2dcc9da1ac7a62ec1dba898147bbcf22d0e643c455679d4b3a716b4d06c3132424b849e2aea7ec9fdac0e14e2d85e2a52900b4ef5444e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
1.2MB

MD5
85be5cd42fb561a43f5927fe3a0752cd

SHA1
d6415238975bf429729c6a0c651e765963af7ad6

SHA256
42a0f8a29522b8bd28b819b4555e62d7970e6f0f568d9eb180728234117eb111

SHA512
e5ddb978c3485dd97e4596d1eb3538ca62e87eedc4f76138a0146ff8bbc92bfc0210c2b22fd4d04333a249754e38992dc4a3b1787f4d8aac9ec5f0902086b930

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
81KB

MD5
b4bfcde33a855eae311cad14cefb7130

SHA1
2cc66b2619f66d3c20816815c091c184312adfbc

SHA256
c2e7069abf8cedb38c900cf8a20be420540dbcc81fa6cf7ceb04fac900d91a83

SHA512
b3572438adc51a741fd675ace8e5485d3e3e5d6f87a4689e0411ae2744c7f5b62621a7ee60009745ede511574c0af0ded0087be0c89b70bf6d774b7a516089d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
41KB

MD5
a3162dd6d2451570323a9d47f487822d

SHA1
33314004ca51612a8ab0373c9f4e044bfa7fc44b

SHA256
acd565408f3c7c784c2b56c079cb8841d4ad0b994d3f3136f59e88ad99b7bbd5

SHA512
dbbbd9ecee43c2969d5b860715e3830310e4549e643f747f0927c990dafc126fd3d100027028e53c8d53b897683c620518227ba592f82be5cfb3a5bf9f61f999

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
46KB

MD5
1b923a0fcc19399eb4e5238caa7b541a

SHA1
89853f9759c2780ebc903aa87610a5c1ef8824c5

SHA256
f915780145ac3aa8b586c45623de49b6d2dd835532bfcec64daf16cd9a462824

SHA512
7522932a95730a6a93aa74c892643cd37db0a26a5dc60c117d59ee5b9cc5424989d207987f0dcfbad3feedb6b1c0ea27adb0f9b6a4524e70f7be063cb5ff0d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
1KB

MD5
173a0679f1f079ed485095d59c927e40

SHA1
8e773b83c56de72e6c07c2a7cfa1ed4a5814a997

SHA256
f1e7e929216d73934576bb882d4e322dbc5dcfd07833294fc1a253fa993fa199

SHA512
c7088aa947a6ccd798477711f1d869aec3aa00e92868ce4858561ed086fa6718f836ec6d4f5c2ebd5f7cc6e8df746f3db0f011492544b588ae5d8713e771d6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
134KB

MD5
6815967312a8c0644d90c96670cae9cc

SHA1
25e02a1e42394325fa35df7323b944e24ddb9331

SHA256
7bb5244cfc5ed201cdd6c1ef584bf5756ffd61363fca4cc0f7f4dfeb786fda80

SHA512
6a2c0b917d7cb7dbd1427920ad1d50cce03b40763c57527751a3bd29bcd935687a3b0fbdc90ef096e1ca6836b47bf007c01607a2e48ba0836134ac95b3fdeff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
35KB

MD5
d817c341f81b7f10669e7fe3e06de202

SHA1
ad8aeb0b28a42224f97c0bb800bf373c6c730daa

SHA256
23fdb06f6a8c28f2a3b4e31355fc36115dac8152dba8ced75dff8634f479676c

SHA512
6b3d283c2fdc01bc44a42c133365490827561a52ca61e434b40b1590bd00eb449eac0ce6c269c624775f473241b2a770e3c3ed9657ee230bb285c96738e855d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
125KB

MD5
48e944cd31f175b12d5f87784802eecb

SHA1
0705d941be65e8d2384084f6735d1ce16ef339bf

SHA256
65effabd433f21d54a430ad1b08bd1b1e6491116b399f61a2c1d5ed2aa1edff1

SHA512
fdc90ce64b135218a24473feda500a36be8c872edd02db2bccce5c441cca2d0554f67f0c41240fd12b3ed7302abc7b3b70240bf372c85dc52554f33d29a35fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
64KB

MD5
ce94744d261b6a32b9167dcf8b5b4bcf

SHA1
bf4ce4fb604ad6eb5f16578d2ed67aed72b4dc94

SHA256
b8ac6c8362b658bfb3bd04aec59f320cd42d30fae2f23e42a911693a0c8ab6c8

SHA512
f22b140ca73038d70df37cb0034540cf630c9b2bed40b1fa9d7c5aa0345a483cc953216089bcdafb459ce82f14a09a1d0896b580e96294ec5b73d71c8213c425

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
84KB

MD5
458c60c36b3e60c710d120cbd879f33d

SHA1
6b5ebd5e7bf05dcbeab800183722c538c74a0d9d

SHA256
b069eadb6814bac9703466b96caa16acbf8794b81a673733dfd3da68a0918364

SHA512
a0d5ea9196c893ad6df62dacb6681057c304ecc5a5f975a8747e563252de3754d7bb458dd749c6377907d14320ddd516338631bb2badb16acc754994e3dfab83

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
101KB

MD5
189ac90143733ae174de71f77881c945

SHA1
ddd369c8579c8a89bf081cfa7b74a94ce784972c

SHA256
f3bafdd35756c8ec69da65197acd89349dc956520aa64145a35f1c2079d2c977

SHA512
d2fb2477ffef230f87e54694d94407f9ec3325d6d3265645493cd08c89839b2babbd032de36882d01a446fcbc965af66ec289f99a5a5ab3d1e7ea58067e42d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe

Filesize
116KB

MD5
4ec4b1656fec3c57ce7c5f089b8d8b57

SHA1
3e1075796493353e8548c7d920fb00d584816ef4

SHA256
681812f00d443be5f49e42616abb7500a9ddeecb5dd1a0ef29917157fa851e7e

SHA512
115d9493f363d7e52c242ad0e6a1d1887fc2fe61ebc243eb679d9c5e1e0c457984659d6a34b7536fcc7111c985170563432c3002fa5d027a82b32e22a7ca6778

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
506317fce7334b1fb1963a24a56b2345

SHA1
28ea3d27c5374da71cf286c13ea614ba4006c0ee

SHA256
adf40e5eb60ba0b256fe45fdfe7684f6efaf27dcf4a766e3394e9fa1ed950168

SHA512
357dd50bc6dd69124d23caaa7969eb7271632343fa7171cfee8a300bb2128a6976068825a2435f28033fde0b21c7a1b1d18efdb517e6395d8a8866af51ba8b85

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
2.1MB

MD5
ba04a2d0f4fa2d20bad2e48232180628

SHA1
0f30e46edb65bd27ef38a4314f5e2191a8d94208

SHA256
a19c81147a57ced467ea688d302c84c8ba5e856b2f14c6d26ca3d7dedaba8973

SHA512
a6f1cc98a49bfe81a009c6562c00315360a1cd5c7f6cc5d3d83b9d8ecfedc84f0abcfdcc2355be4c72b1536bd437f7c04d0c9d17aefcb0d4c49b6e96ad84c9dc

Download Submit
memory/116-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/848-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1064-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1320-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1348-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1364-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1364-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2680-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3332-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3464-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3552-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3552-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3584-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3600-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3828-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3828-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3836-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3956-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4016-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4040-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4152-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4260-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4344-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4392-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4548-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4552-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4780-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4912-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4920-420-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5060-435-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5060-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads