neshta | 34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
Size

206KB
MD5

aa08eb4c01a8f694395ad2a5281b0235
SHA1

ef8e99ed36a864a9b1d3e91705506a076e7d6274
SHA256

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211
SHA512

d8fc08ff2a9924b72d24d6d515d9797326a84a14adbd6509354659f6c5504a515cd9ee95475d797ed01b28243dd31e4bfd954040932458b78b37ab0ed0ec7579
SSDEEP

1536:JxqjQ+P04wsmJCjZdX7Xl0CFChLCZdBFmav82unyYNrbmpcKJOxqjQ+P04wsmJCH:sr85CfXl0CFUeZUOuPHK9r85Cxr85C

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/4576-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2900-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1220-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1600-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/828-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/212-50-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3792-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2520-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5092-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4652-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1524-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3132-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4100-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/628-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
behavioral2/memory/3472-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4580-123-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4492-131-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4604-143-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
behavioral2/memory/404-158-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
behavioral2/memory/4092-224-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1224-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3564-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4900-251-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2752-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2012-259-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3016-266-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2964-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2096-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2272-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2344-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5056-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4412-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4376-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4216-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1608-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3880-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1932-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1284-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1964-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1764-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

winblrsnrcs.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	family_phorphiex
C:\Users\Admin\sysdinrdvs.exe	family_phorphiex
C:\Windows\sysmablsvr.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3068410584.exewupgrdsv.exe

description	pid	process	target process
PID 2848 created 3436	2848	3068410584.exe	Explorer.EXE
PID 2848 created 3436	2848	3068410584.exe	Explorer.EXE
PID 4032 created 3436	4032	wupgrdsv.exe	Explorer.EXE
PID 4032 created 3436	4032	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winblrsnrcs.exesysmablsvr.exe34628C~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	34628C~1.EXE

Executes dropped EXE 64 IoCs

Processes:

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exesvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com

pid	process
2916	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
4576	svchost.com
2900	34628C~1.EXE
1220	svchost.com
1600	34628C~1.EXE
828	svchost.com
212	34628C~1.EXE
3792	svchost.com
2520	34628C~1.EXE
5092	svchost.com
4652	34628C~1.EXE
1524	svchost.com
3132	34628C~1.EXE
4100	svchost.com
628	34628C~1.EXE
3472	svchost.com
4580	34628C~1.EXE
4492	svchost.com
4604	34628C~1.EXE
404	svchost.com
4092	34628C~1.EXE
1224	svchost.com
3564	34628C~1.EXE
4900	svchost.com
2752	34628C~1.EXE
2012	svchost.com
3016	34628C~1.EXE
2964	svchost.com
2096	34628C~1.EXE
2272	svchost.com
2344	34628C~1.EXE
5056	svchost.com
4412	34628C~1.EXE
4376	svchost.com
4216	34628C~1.EXE
1608	svchost.com
3880	34628C~1.EXE
1932	svchost.com
1284	34628C~1.EXE
1964	svchost.com
1764	34628C~1.EXE
2368	svchost.com
1836	34628C~1.EXE
1852	svchost.com
3464	34628C~1.EXE
672	svchost.com
4448	34628C~1.EXE
2732	svchost.com
4876	34628C~1.EXE
3156	svchost.com
5092	34628C~1.EXE
1580	svchost.com
4168	34628C~1.EXE
2524	svchost.com
3560	34628C~1.EXE
3092	svchost.com
2264	34628C~1.EXE
3924	svchost.com
3424	34628C~1.EXE
1724	svchost.com
1340	34628C~1.EXE
2788	svchost.com
2848	34628C~1.EXE
1072	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exewinblrsnrcs.exe34628C~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	34628C~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3191529532.exe34628C~1.EXE1973215878.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblrsnrcs.exe"	3191529532.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	34628C~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	34628C~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	1973215878.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 4032 set thread context of 4500 4032 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 4032 set thread context of 4500	4032	wupgrdsv.exe	notepad.exe

Drops file in Program Files directory 64 IoCs

Processes:

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_pwa_launcher.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe

Drops file in Windows directory 64 IoCs

Processes:

34628C~1.EXEsvchost.comsvchost.com34628C~1.EXEsvchost.com34628C~1.EXE34628C~1.EXEsvchost.comsvchost.comsvchost.com34628C~1.EXE34628C~1.EXE34628C~1.EXEsvchost.com34628C~1.EXE34628C~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com34628C~1.EXE34628C~1.EXEsvchost.com34628C~1.EXE34628C~1.EXEsvchost.com34628C~1.EXE34628C~1.EXEsvchost.comsvchost.com34628C~1.EXEsvchost.comsvchost.com34628C~1.EXEsvchost.comsvchost.com34628C~1.EXEsvchost.comsvchost.com34628C~1.EXE34628C~1.EXEsvchost.com34628C~1.EXEsvchost.comsvchost.comsvchost.com34628C~1.EXE34628C~1.EXE34628C~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com34628C~1.EXEsvchost.comsvchost.com34628C~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	34628C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	34628C~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE34628C~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	34628C~1.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3068410584.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2848	3068410584.exe
2848	3068410584.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
2848	3068410584.exe
2848	3068410584.exe
4032	wupgrdsv.exe
4032	wupgrdsv.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
4032	wupgrdsv.exe
4032	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysmablsvr.exe

pid process

1836 sysmablsvr.exe

pid	process
1836	sysmablsvr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	696	powershell.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeSystemEnvironmentPrivilege	696	powershell.exe
Token: SeRemoteShutdownPrivilege	696	powershell.exe
Token: SeUndockPrivilege	696	powershell.exe
Token: SeManageVolumePrivilege	696	powershell.exe
Token: 33	696	powershell.exe
Token: 34	696	powershell.exe
Token: 35	696	powershell.exe
Token: 36	696	powershell.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeSystemEnvironmentPrivilege	696	powershell.exe
Token: SeRemoteShutdownPrivilege	696	powershell.exe
Token: SeUndockPrivilege	696	powershell.exe
Token: SeManageVolumePrivilege	696	powershell.exe
Token: 33	696	powershell.exe
Token: 34	696	powershell.exe
Token: 35	696	powershell.exe
Token: 36	696	powershell.exe
Token: SeIncreaseQuotaPrivilege	696	powershell.exe
Token: SeSecurityPrivilege	696	powershell.exe
Token: SeTakeOwnershipPrivilege	696	powershell.exe
Token: SeLoadDriverPrivilege	696	powershell.exe
Token: SeSystemProfilePrivilege	696	powershell.exe
Token: SeSystemtimePrivilege	696	powershell.exe
Token: SeProfSingleProcessPrivilege	696	powershell.exe
Token: SeIncBasePriorityPrivilege	696	powershell.exe
Token: SeCreatePagefilePrivilege	696	powershell.exe
Token: SeBackupPrivilege	696	powershell.exe
Token: SeRestorePrivilege	696	powershell.exe
Token: SeShutdownPrivilege	696	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeSystemEnvironmentPrivilege	696	powershell.exe
Token: SeRemoteShutdownPrivilege	696	powershell.exe
Token: SeUndockPrivilege	696	powershell.exe
Token: SeManageVolumePrivilege	696	powershell.exe
Token: 33	696	powershell.exe
Token: 34	696	powershell.exe
Token: 35	696	powershell.exe
Token: 36	696	powershell.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

notepad.exe

pid	process
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

notepad.exe

pid	process
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe
4500	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exesvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXEsvchost.com34628C~1.EXE

description	pid	process	target process
PID 3684 wrote to memory of 2916	3684	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
PID 3684 wrote to memory of 2916	3684	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
PID 3684 wrote to memory of 2916	3684	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
PID 2916 wrote to memory of 4576	2916	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	svchost.com
PID 2916 wrote to memory of 4576	2916	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	svchost.com
PID 2916 wrote to memory of 4576	2916	34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe	svchost.com
PID 4576 wrote to memory of 2900	4576	svchost.com	34628C~1.EXE
PID 4576 wrote to memory of 2900	4576	svchost.com	34628C~1.EXE
PID 4576 wrote to memory of 2900	4576	svchost.com	34628C~1.EXE
PID 2900 wrote to memory of 1220	2900	34628C~1.EXE	svchost.com
PID 2900 wrote to memory of 1220	2900	34628C~1.EXE	svchost.com
PID 2900 wrote to memory of 1220	2900	34628C~1.EXE	svchost.com
PID 1220 wrote to memory of 1600	1220	svchost.com	34628C~1.EXE
PID 1220 wrote to memory of 1600	1220	svchost.com	34628C~1.EXE
PID 1220 wrote to memory of 1600	1220	svchost.com	34628C~1.EXE
PID 1600 wrote to memory of 828	1600	34628C~1.EXE	svchost.com
PID 1600 wrote to memory of 828	1600	34628C~1.EXE	svchost.com
PID 1600 wrote to memory of 828	1600	34628C~1.EXE	svchost.com
PID 828 wrote to memory of 212	828	svchost.com	34628C~1.EXE
PID 828 wrote to memory of 212	828	svchost.com	34628C~1.EXE
PID 828 wrote to memory of 212	828	svchost.com	34628C~1.EXE
PID 212 wrote to memory of 3792	212	34628C~1.EXE	svchost.com
PID 212 wrote to memory of 3792	212	34628C~1.EXE	svchost.com
PID 212 wrote to memory of 3792	212	34628C~1.EXE	svchost.com
PID 3792 wrote to memory of 2520	3792	svchost.com	34628C~1.EXE
PID 3792 wrote to memory of 2520	3792	svchost.com	34628C~1.EXE
PID 3792 wrote to memory of 2520	3792	svchost.com	34628C~1.EXE
PID 2520 wrote to memory of 5092	2520	34628C~1.EXE	34628C~1.EXE
PID 2520 wrote to memory of 5092	2520	34628C~1.EXE	34628C~1.EXE
PID 2520 wrote to memory of 5092	2520	34628C~1.EXE	34628C~1.EXE
PID 5092 wrote to memory of 4652	5092	svchost.com	34628C~1.EXE
PID 5092 wrote to memory of 4652	5092	svchost.com	34628C~1.EXE
PID 5092 wrote to memory of 4652	5092	svchost.com	34628C~1.EXE
PID 4652 wrote to memory of 1524	4652	34628C~1.EXE	svchost.com
PID 4652 wrote to memory of 1524	4652	34628C~1.EXE	svchost.com
PID 4652 wrote to memory of 1524	4652	34628C~1.EXE	svchost.com
PID 1524 wrote to memory of 3132	1524	svchost.com	34628C~1.EXE
PID 1524 wrote to memory of 3132	1524	svchost.com	34628C~1.EXE
PID 1524 wrote to memory of 3132	1524	svchost.com	34628C~1.EXE
PID 3132 wrote to memory of 4100	3132	34628C~1.EXE	svchost.com
PID 3132 wrote to memory of 4100	3132	34628C~1.EXE	svchost.com
PID 3132 wrote to memory of 4100	3132	34628C~1.EXE	svchost.com
PID 4100 wrote to memory of 628	4100	svchost.com	34628C~1.EXE
PID 4100 wrote to memory of 628	4100	svchost.com	34628C~1.EXE
PID 4100 wrote to memory of 628	4100	svchost.com	34628C~1.EXE
PID 628 wrote to memory of 3472	628	34628C~1.EXE	svchost.com
PID 628 wrote to memory of 3472	628	34628C~1.EXE	svchost.com
PID 628 wrote to memory of 3472	628	34628C~1.EXE	svchost.com
PID 3472 wrote to memory of 4580	3472	svchost.com	34628C~1.EXE
PID 3472 wrote to memory of 4580	3472	svchost.com	34628C~1.EXE
PID 3472 wrote to memory of 4580	3472	svchost.com	34628C~1.EXE
PID 4580 wrote to memory of 4492	4580	34628C~1.EXE	svchost.com
PID 4580 wrote to memory of 4492	4580	34628C~1.EXE	svchost.com
PID 4580 wrote to memory of 4492	4580	34628C~1.EXE	svchost.com
PID 4492 wrote to memory of 4604	4492	svchost.com	34628C~1.EXE
PID 4492 wrote to memory of 4604	4492	svchost.com	34628C~1.EXE
PID 4492 wrote to memory of 4604	4492	svchost.com	34628C~1.EXE
PID 4604 wrote to memory of 404	4604	34628C~1.EXE	svchost.com
PID 4604 wrote to memory of 404	4604	34628C~1.EXE	svchost.com
PID 4604 wrote to memory of 404	4604	34628C~1.EXE	svchost.com
PID 404 wrote to memory of 4092	404	svchost.com	34628C~1.EXE
PID 404 wrote to memory of 4092	404	svchost.com	34628C~1.EXE
PID 404 wrote to memory of 4092	404	svchost.com	34628C~1.EXE
PID 4092 wrote to memory of 1224	4092	34628C~1.EXE	svchost.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
"C:\Users\Admin\AppData\Local\Temp\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\3582-490\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
24⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
25⤵
- Executes dropped EXE
PID:3564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
26⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
28⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
31⤵
- Executes dropped EXE
PID:2096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
32⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
33⤵
- Checks computer location settings
- Executes dropped EXE
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
34⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
36⤵
- Executes dropped EXE
PID:4376

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
37⤵
- Checks computer location settings
- Executes dropped EXE
PID:4216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
39⤵
- Executes dropped EXE
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
40⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
41⤵
- Checks computer location settings
- Executes dropped EXE
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
42⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
43⤵
- Checks computer location settings
- Executes dropped EXE
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
44⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
46⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
47⤵
- Checks computer location settings
- Executes dropped EXE
PID:3464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
49⤵
- Checks computer location settings
- Executes dropped EXE
PID:4448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
50⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
51⤵
- Executes dropped EXE
- Modifies registry class
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
52⤵
- Executes dropped EXE
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
53⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
55⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
57⤵
- Checks computer location settings
- Executes dropped EXE
PID:3560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
58⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
60⤵
- Executes dropped EXE
PID:3924

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
61⤵
- Executes dropped EXE
- Modifies registry class
PID:3424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
63⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
65⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
66⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
67⤵
- Modifies registry class
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
68⤵
- Drops file in Windows directory
PID:2500

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
69⤵
- Modifies registry class
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
70⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
71⤵
- Checks computer location settings
- Modifies registry class
PID:544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
72⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
73⤵
- Drops file in Windows directory
- Modifies registry class
PID:1592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
74⤵
- Drops file in Windows directory
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
75⤵
- Drops file in Windows directory
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
76⤵
- Drops file in Windows directory
PID:4876

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
77⤵
PID:4372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
78⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
79⤵
- Checks computer location settings
- Modifies registry class
PID:3120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
80⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
81⤵
- Checks computer location settings
- Modifies registry class
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
82⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
83⤵
- Drops file in Windows directory
- Modifies registry class
PID:3108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
84⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
85⤵
- Modifies registry class
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
86⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
87⤵
- Drops file in Windows directory
- Modifies registry class
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
88⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
89⤵
- Checks computer location settings
PID:1852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
90⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
91⤵
PID:1244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
92⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
93⤵
- Modifies registry class
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
94⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
95⤵
- Checks computer location settings
- Modifies registry class
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
96⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
97⤵
- Checks computer location settings
- Modifies registry class
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
98⤵
- Drops file in Windows directory
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
99⤵
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
100⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
101⤵
PID:4916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
102⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
103⤵
- Modifies registry class
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
104⤵
- Drops file in Windows directory
PID:3608

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
105⤵
PID:3076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
106⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
107⤵
- Checks computer location settings
- Modifies registry class
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
108⤵
- Drops file in Windows directory
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
109⤵
PID:3696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
110⤵
- Drops file in Windows directory
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
111⤵
- Checks computer location settings
- Modifies registry class
PID:4844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
112⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
113⤵
- Checks computer location settings
- Modifies registry class
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
114⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
115⤵
- Checks computer location settings
- Modifies registry class
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
116⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
117⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
118⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
119⤵
- Drops file in Windows directory
PID:3600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
120⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
121⤵
- Modifies registry class
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
122⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
123⤵
- Modifies registry class
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
124⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
125⤵
- Modifies registry class
PID:3956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
126⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
127⤵
PID:3076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
128⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
129⤵
- Checks computer location settings
- Modifies registry class
PID:2848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
130⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
131⤵
PID:2224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
132⤵
- Drops file in Windows directory
PID:2144

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
133⤵
- Checks computer location settings
- Modifies registry class
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
134⤵
- Drops file in Windows directory
PID:2300

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
135⤵
- Checks computer location settings
- Modifies registry class
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
136⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
137⤵
- Modifies registry class
PID:672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
138⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
139⤵
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
140⤵
- Drops file in Windows directory
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
141⤵
- Drops file in Windows directory
- Modifies registry class
PID:4572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
142⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
143⤵
- Checks computer location settings
PID:1880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
144⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
145⤵
- Checks computer location settings
- Modifies registry class
PID:4720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
146⤵
- Drops file in Windows directory
PID:404

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
147⤵
- Drops file in Windows directory
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
148⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
149⤵
PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
150⤵
- Drops file in Windows directory
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
151⤵
PID:4332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
152⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
153⤵
PID:2636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
154⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
155⤵
- Checks computer location settings
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
156⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
157⤵
- Modifies registry class
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
158⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
159⤵
- Drops file in Windows directory
PID:3424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
160⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
161⤵
- Drops file in Windows directory
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
162⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
163⤵
- Modifies registry class
PID:5012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
164⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
165⤵
- Modifies registry class
PID:3028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
166⤵
- Drops file in Windows directory
PID:1524

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
167⤵
- Modifies registry class
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
168⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
169⤵
PID:384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
170⤵
- Drops file in Windows directory
PID:2860

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
171⤵
- Checks computer location settings
PID:2096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
172⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
173⤵
- Modifies registry class
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
174⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
175⤵
- Checks computer location settings
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
176⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
177⤵
- Checks computer location settings
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
178⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
179⤵
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
180⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
181⤵
- Drops file in Windows directory
- Modifies registry class
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
182⤵
- Drops file in Windows directory
PID:212

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
183⤵
- Drops file in Windows directory
- Modifies registry class
PID:2196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
184⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
185⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
186⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
187⤵
- Modifies registry class
PID:4264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
188⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
189⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
190⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
191⤵
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
192⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
193⤵
PID:2756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
194⤵
- Drops file in Windows directory
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
195⤵
- Drops file in Windows directory
- Modifies registry class
PID:4804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
196⤵
- Drops file in Windows directory
PID:4328

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
197⤵
- Checks computer location settings
PID:2748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
198⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
199⤵
- Checks computer location settings
- Modifies registry class
PID:1524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
200⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
201⤵
- Checks computer location settings
PID:3120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
202⤵
- Drops file in Windows directory
PID:3888

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
203⤵
PID:4116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
204⤵
- Drops file in Windows directory
PID:4356

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
205⤵
- Checks computer location settings
PID:2216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
206⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
207⤵
- Checks computer location settings
- Modifies registry class
PID:1880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
208⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
209⤵
- Drops file in Windows directory
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
210⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
211⤵
- Checks computer location settings
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
212⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
213⤵
- Checks computer location settings
PID:2156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
214⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
215⤵
- Checks computer location settings
- Modifies registry class
PID:2748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
216⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
217⤵
- Modifies registry class
PID:1524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
218⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
219⤵
- Checks computer location settings
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
220⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
221⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
222⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
223⤵
- Checks computer location settings
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
224⤵
- Drops file in Windows directory
PID:4252

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
225⤵
- Checks computer location settings
- Modifies registry class
PID:1056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
226⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
227⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
228⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
229⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
230⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
231⤵
- Checks computer location settings
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
232⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
233⤵
PID:3028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
234⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
235⤵
- Checks computer location settings
PID:3156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
236⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
237⤵
- Checks computer location settings
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
238⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
239⤵
- Checks computer location settings
- Modifies registry class
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
240⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
241⤵
- Checks computer location settings
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
242⤵
- Drops file in Windows directory
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
243⤵
- Drops file in Windows directory
- Modifies registry class
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
244⤵
- Drops file in Windows directory
PID:4804

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
245⤵
- Checks computer location settings
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
246⤵
- Drops file in Windows directory
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
247⤵
- Modifies registry class
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
248⤵
- Drops file in Windows directory
PID:4876

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
249⤵
- Modifies registry class
PID:2012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
250⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
251⤵
- Drops file in Windows directory
PID:2800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
252⤵
- Drops file in Windows directory
PID:3600

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
253⤵
- Modifies registry class
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
254⤵
- Drops file in Windows directory
PID:1736

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
255⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
256⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
257⤵
PID:3696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
258⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
259⤵
- Checks computer location settings
PID:4460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE"
260⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\34628C~1.EXE
261⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
PID:3260

C:\Users\Admin\AppData\Local\Temp\1973215878.exe
C:\Users\Admin\AppData\Local\Temp\1973215878.exe
262⤵
- Adds Run key to start application
PID:632

C:\Windows\sysmablsvr.exe
C:\Windows\sysmablsvr.exe
263⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:1836

C:\Users\Admin\AppData\Local\Temp\652221634.exe
C:\Users\Admin\AppData\Local\Temp\652221634.exe
264⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\1148321114.exe
C:\Users\Admin\AppData\Local\Temp\1148321114.exe
264⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\2878012175.exe
C:\Users\Admin\AppData\Local\Temp\2878012175.exe
264⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\298723539.exe
C:\Users\Admin\AppData\Local\Temp\298723539.exe
264⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\1091214388.exe
C:\Users\Admin\AppData\Local\Temp\1091214388.exe
262⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\3068410584.exe
C:\Users\Admin\AppData\Local\Temp\3068410584.exe
263⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Users\Admin\AppData\Local\Temp\90975602.exe
C:\Users\Admin\AppData\Local\Temp\90975602.exe
262⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\3191529532.exe
C:\Users\Admin\AppData\Local\Temp\3191529532.exe
262⤵
- Adds Run key to start application
PID:3124

C:\Windows\winblrsnrcs.exe
C:\Windows\winblrsnrcs.exe
263⤵
- Modifies security service
- Windows security bypass
- Windows security modification
PID:2720

C:\Users\Admin\AppData\Local\Temp\1129711266.exe
C:\Users\Admin\AppData\Local\Temp\1129711266.exe
264⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\1223435349.exe
C:\Users\Admin\AppData\Local\Temp\1223435349.exe
264⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\1057326613.exe
C:\Users\Admin\AppData\Local\Temp\1057326613.exe
264⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\1096135166.exe
C:\Users\Admin\AppData\Local\Temp\1096135166.exe
264⤵
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:8
1⤵
PID:3720

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8343be54d7167eac5aaad5d83bcb690e Fg4lhvengEWgovXbIy1PrQ.0.1.0.0.0
1⤵
PID:2368

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4844

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1296

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
Filesize
366KB

MD5
e993fc52e866f491afa891e1d57ca3c4

SHA1
779bce590a944bdc0b276ba5a80981e4c1e714e6

SHA256
508b2563ffb43546b07c5ddf588cfd7e51397c70726d818495fa7494a724efbe

SHA512
4c46e1123d8a1445893999b214773571341f1549a4c4ee0b7f35670ea514d44b950b1509613863a12af84f0f79c0d13bb7e0c4e46bc9598c6462b5dfe5820bc8

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe
Filesize
598KB

MD5
ac0d708bbcd017ea66c1e5342769247f

SHA1
80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832

SHA256
9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2

SHA512
4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe
Filesize
6.8MB

MD5
3c6af29363b09b1fe010b098eb483da8

SHA1
a3eb972dad6881268d5aec7db7a5b3112d0d5f82

SHA256
82ff701fb161ceff3a018b7a744a71c9e88b7009e32792499b742c2b0a88ec01

SHA512
6fbff42fca39c93a972e55b227f05a507ea494a4cd22a0e09c578c144bb9bc3eea9ab8402ffa1f1c7e10bd53c4384e68049aeb51d729629cc9f0624d0fd747fa

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe
Filesize
162KB

MD5
452b247061b3cf1def0aceee27b4a522

SHA1
2ce1a0ce564e41095691184682518826db1d7e9c

SHA256
484ca6e9fbfea88a939ff7cc511ac52b40631554efaf35ffc210dd56f2b2d9fa

SHA512
d395a82ac1e4e4a926b91e8ee465a2f457f20e011822c08ad17282378382dfe980b13b979db9aadce201df41c27922f77ba4c18b81c336744cfcf955b42c1f21

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe
Filesize
1.8MB

MD5
f6d23b507a70dc334edc1f7a83f23f35

SHA1
faad9c7cc838feca898f79a59ee3fc172b4c793b

SHA256
66c7ddec71930588f69aa9b2ea682a4b5e166ff4d12e3a053b6bc73b44f24992

SHA512
cce30fb7085c6b833532b5d64c6d2c9af9a5dd9b1b74832a2c526ea1944c360bbdb7e0d65de6f9db068a650c0abcd65490e33240618e8e8fd0da0348dd00022d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe
Filesize
1.3MB

MD5
a01b520e542f52ed904cce1e94aef7e2

SHA1
f59666599ed776cadd774bc272a5340bbf75b9c8

SHA256
461c20501e56adf01acc203da06a9d5687514889abe3ccf93f4753e426122267

SHA512
ae093333bbba79897ecfe7e99abf396b195341052331c80629bd9ae0ceda3260380300ffbb6be1008338681b14fa565693d88ba08e6bb056e3cbdb9e690b5f06

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe
Filesize
3.9MB

MD5
f72b423cf9cc798732925eed3cf2e60c

SHA1
79704a4604020a0f6e7ae63d1be486cdbe08e061

SHA256
a978d5aa986b25b229b3c45120b9cac1f223497cfb870c869b86aedcdc4602f1

SHA512
0d72aaf9fa6acc92da60c34f59c72fa07ec5d857dfeea114613bc94de44154fa2d6a94aa8dea47a8212e74776c76b8cc2049f787d726361400521f724458c55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1148321114.exe
Filesize
10KB

MD5
6567b839ec69322ba1aa41b15fbd1e64

SHA1
0a2a0770afe094765a5eb88f6201847bf642bea9

SHA256
8a4b87ed94fc50767d0bc91291a8b8a436b941b273b29ab0d442ba1cc10b76fb

SHA512
2e4798244bf3891beea64ee0b0d106c6f47b7c7d6daf222af6192874dc0ef67491c82e93821c1ff9fbd25cf9ec50178e959adb466b210ff9754dd4e8387a30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2878012175.exe
Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\34628ca1039a637936735225d91cf6ec1b3042a56fdee1de39ce17775963b211.exe
Filesize
165KB

MD5
79846f910f5d92f69e7701d3c1c39b9f

SHA1
f520e43276f5d1f875a4e2bcdfdaff94a116685b

SHA256
a76598a5e8d0153d9d8d79ad7a5df8fba5b27c6d5998275e2291b32fd9164017

SHA512
1a1c31cf9edd13e0639ac96e3aad2b7dc05cfb58f576bf9b03a6a7b90f8e67effdbcdb878198ecea3676fc3a9c1df5e5b39eca958f60443b95e91c3fb26dbd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\652221634.exe
Filesize
88KB

MD5
cf68718b0d7b63adceae3480c7e525f5

SHA1
acd48e3e03bbf71f254eb9387b0646c8e438881c

SHA256
c2515acb1648a8707d7ce693c41bac24eba62ff268f44da59eb0f7ee61728685

SHA512
ec616e40cc35a7a9f740cda0390d55ee3cf852c759f0b1fcc483ecb79860d4d269735fffe93b665fdb2ba6ad5438b9d909d1802f357ae0b6501a77a119a5699f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afaxuk0o.jep.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\sysdinrdvs.exe
Filesize
84KB

MD5
327f84628e45d23cf22fe1241e0e6919

SHA1
5cadf08fe7f12320819a505ed0fea0995dc83c95

SHA256
41eac81105327a9bdb98bf783698eb53d385c07c2a7a7dc6c207f81302f807c3

SHA512
d4c7eeab2672e5bbf2479d14f61c8119df5979ceaaca06e035644c9a83de38b63973d4a7a7c5e9210d0f214354ec33194c94565624b43631210952a5c0a429d9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
9ce4bf5f03dcd30be8bb0455fba844b3

SHA1
eb86262e8c82a606b5c0715cf1198103c9eeb437

SHA256
8d5b38c33f6994d48c44457db6a5b9fdc5c7c34a0a333b7f841257114095684a

SHA512
f71ae6e6316e0dd36da2ba81c44a292744d6034c190c9164ab75541dfac19e48fe4dee34abd2d07d23ad6069771d094b31249116da2efa351a00bab4cc7c8a9a

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\sysmablsvr.exe
Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Windows\winblrsnrcs.exe
Filesize
18KB

MD5
30dca8b68825d5b3db7a685aa3da0a13

SHA1
07320822d14d6caf8825dd6d806c0cde398584f3

SHA256
f2dc635cb5fe8b8815ea98d909b67016975ca8e5a43cb39e47595ecd01038a96

SHA512
b5f3be086d3f7c751028d8d8a025069743b2472cec10252627f5583492383a5a865e88ad5839d83bf3a3c31b5b630753e77a2c02433d7fbe90aa11acd0f35f0c

Download Submit
memory/212-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/404-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/628-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/696-1169-0x000001A403020000-0x000001A403042000-memory.dmp

Filesize
136KB

Download
memory/828-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1072-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1220-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1224-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1284-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1580-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1932-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2344-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3132-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3156-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3464-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3560-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3564-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3792-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3880-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3924-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4092-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4100-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4216-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4316-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4376-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4412-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4492-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4576-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4604-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4652-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4876-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4900-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5056-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download