neshta | 9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
Size

158KB
MD5

629205c3fafec1ec163409031790146d
SHA1

1bd9432378e21774324a4f0e34f4f6933ccb94b0
SHA256

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79
SHA512

40305f90a85572da5269c0f5c9589f5ddb5c603e8cad6faebc2f9de53cdee99781970447f194822ed912c77f3abe0956996d4ee4e1f7edd4c7b06b497ada6e45
SSDEEP

1536:JxqjQ+P04wsmJCu8SBKygMc5FWF96RDW3Mz8c+nowfs6Zfe7MI8ACc+aprlOxqjh:sr85CpSfg5Fo6xdwc+08anp9r85C

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
behavioral1/memory/2412-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2712-29-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2716-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2780-43-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2688-58-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2700-57-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2752-72-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2496-71-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1544-85-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2400-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2816-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2972-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	family_neshta
behavioral1/memory/1796-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1968-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	family_neshta
behavioral1/memory/1692-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1608-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1684-165-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2276-164-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2288-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2904-178-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1092-192-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/672-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/536-201-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1736-200-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1988-214-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2916-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/768-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2264-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1784-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2936-254-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2864-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3008-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2136-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2176-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2684-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2632-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2788-310-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2688-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2572-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2960-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2968-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1136-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3056-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1420-334-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2840-342-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2332-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1728-350-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2020-351-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1964-358-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1888-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

winblrsnrcs.exe713815124.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmablsvr.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Phorphiex payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\713815124.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3031422245.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

2888713801.exewupgrdsv.exe

description	pid	process	target process
PID 2720 created 1196	2720	2888713801.exe	Explorer.EXE
PID 2720 created 1196	2720	2888713801.exe	Explorer.EXE
PID 2796 created 1196	2796	wupgrdsv.exe	Explorer.EXE
PID 2796 created 1196	2796	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

713815124.exesysmablsvr.exemwupsrcvc.exewinblrsnrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com

pid	process
2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2412	svchost.com
2712	949366~1.EXE
2716	svchost.com
2780	949366~1.EXE
2688	svchost.com
2700	949366~1.EXE
2752	svchost.com
2496	949366~1.EXE
2400	svchost.com
1544	949366~1.EXE
2816	svchost.com
2972	949366~1.EXE
1968	svchost.com
1796	949366~1.EXE
1692	svchost.com
1608	949366~1.EXE
2276	svchost.com
1684	949366~1.EXE
2904	svchost.com
2288	949366~1.EXE
672	svchost.com
1092	949366~1.EXE
536	svchost.com
1736	949366~1.EXE
1988	svchost.com
2916	949366~1.EXE
2264	svchost.com
768	949366~1.EXE
2936	svchost.com
1784	949366~1.EXE
3008	svchost.com
2864	949366~1.EXE
2176	svchost.com
2136	949366~1.EXE
2728	svchost.com
2684	949366~1.EXE
2632	svchost.com
2796	949366~1.EXE
2788	svchost.com
2688	949366~1.EXE
2572	svchost.com
2960	949366~1.EXE
2968	svchost.com
1136	949366~1.EXE
3056	svchost.com
1420	949366~1.EXE
2840	svchost.com
2332	949366~1.EXE
2020	svchost.com
1728	949366~1.EXE
1888	svchost.com
1964	949366~1.EXE
1796	svchost.com
1620	949366~1.EXE
1940	svchost.com
1488	949366~1.EXE
1132	svchost.com
2120	949366~1.EXE
1192	svchost.com
2300	949366~1.EXE
2276	svchost.com
1056	949366~1.EXE
2512	svchost.com

Loads dropped DLL 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	process
1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2412	svchost.com
2412	svchost.com
2716	svchost.com
2716	svchost.com
2688	svchost.com
2688	svchost.com
2752	svchost.com
2752	svchost.com
2400	svchost.com
2400	svchost.com
2816	svchost.com
2816	svchost.com
1968	svchost.com
1968	svchost.com
1692	svchost.com
1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
1692	svchost.com
2276	svchost.com
2276	svchost.com
1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2904	svchost.com
2904	svchost.com
672	svchost.com
672	svchost.com
536	svchost.com
536	svchost.com
1988	svchost.com
1988	svchost.com
1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2264	svchost.com
2264	svchost.com
2936	svchost.com
2936	svchost.com
3008	svchost.com
3008	svchost.com
2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
2176	svchost.com
2176	svchost.com
2728	svchost.com
2728	svchost.com
2632	svchost.com
2632	svchost.com
2788	svchost.com
2788	svchost.com
2572	svchost.com
2572	svchost.com
2968	svchost.com
2968	svchost.com
3056	svchost.com
3056	svchost.com
2840	svchost.com
2840	svchost.com
2020	svchost.com
2020	svchost.com
1888	svchost.com
1888	svchost.com
1796	svchost.com
1796	svchost.com
1940	svchost.com
1940	svchost.com
1132	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exewinblrsnrcs.exemwupsrcvc.exe713815124.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	713815124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	mwupsrcvc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

949366~1.EXE713815124.exe3031422245.exe301172749.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\mwupsrcvc.exe"	949366~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	713815124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	713815124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	3031422245.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblrsnrcs.exe"	301172749.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 2796 set thread context of 2164 2796 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 2796 set thread context of 2164	2796	wupgrdsv.exe	notepad.exe

Drops file in Program Files directory 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

Drops file in Windows directory 64 IoCs

Processes:

949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXEsvchost.comsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.com949366~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.comsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXE949366~1.EXE949366~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2996 schtasks.exe
2028 schtasks.exe

pid	process
2996	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2888713801.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2720	2888713801.exe
2720	2888713801.exe
2668	powershell.exe
2720	2888713801.exe
2720	2888713801.exe
2796	wupgrdsv.exe
2796	wupgrdsv.exe
2700	powershell.exe
2796	wupgrdsv.exe
2796	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

713815124.exesysmablsvr.exe

pid process

1780 713815124.exe
1760 sysmablsvr.exe

pid	process
1780	713815124.exe
1760	sysmablsvr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeLockMemoryPrivilege	2164	notepad.exe
Token: SeLockMemoryPrivilege	2164	notepad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exe

pid	process
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

notepad.exe

pid	process
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe
2164	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXE

description	pid	process	target process
PID 1764 wrote to memory of 2084	1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 1764 wrote to memory of 2084	1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 1764 wrote to memory of 2084	1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 1764 wrote to memory of 2084	1764	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 2084 wrote to memory of 2412	2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2084 wrote to memory of 2412	2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2084 wrote to memory of 2412	2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2084 wrote to memory of 2412	2084	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2412 wrote to memory of 2712	2412	svchost.com	949366~1.EXE
PID 2412 wrote to memory of 2712	2412	svchost.com	949366~1.EXE
PID 2412 wrote to memory of 2712	2412	svchost.com	949366~1.EXE
PID 2412 wrote to memory of 2712	2412	svchost.com	949366~1.EXE
PID 2712 wrote to memory of 2716	2712	949366~1.EXE	svchost.com
PID 2712 wrote to memory of 2716	2712	949366~1.EXE	svchost.com
PID 2712 wrote to memory of 2716	2712	949366~1.EXE	svchost.com
PID 2712 wrote to memory of 2716	2712	949366~1.EXE	svchost.com
PID 2716 wrote to memory of 2780	2716	svchost.com	949366~1.EXE
PID 2716 wrote to memory of 2780	2716	svchost.com	949366~1.EXE
PID 2716 wrote to memory of 2780	2716	svchost.com	949366~1.EXE
PID 2716 wrote to memory of 2780	2716	svchost.com	949366~1.EXE
PID 2780 wrote to memory of 2688	2780	949366~1.EXE	949366~1.EXE
PID 2780 wrote to memory of 2688	2780	949366~1.EXE	949366~1.EXE
PID 2780 wrote to memory of 2688	2780	949366~1.EXE	949366~1.EXE
PID 2780 wrote to memory of 2688	2780	949366~1.EXE	949366~1.EXE
PID 2688 wrote to memory of 2700	2688	svchost.com	949366~1.EXE
PID 2688 wrote to memory of 2700	2688	svchost.com	949366~1.EXE
PID 2688 wrote to memory of 2700	2688	svchost.com	949366~1.EXE
PID 2688 wrote to memory of 2700	2688	svchost.com	949366~1.EXE
PID 2700 wrote to memory of 2752	2700	949366~1.EXE	svchost.com
PID 2700 wrote to memory of 2752	2700	949366~1.EXE	svchost.com
PID 2700 wrote to memory of 2752	2700	949366~1.EXE	svchost.com
PID 2700 wrote to memory of 2752	2700	949366~1.EXE	svchost.com
PID 2752 wrote to memory of 2496	2752	svchost.com	949366~1.EXE
PID 2752 wrote to memory of 2496	2752	svchost.com	949366~1.EXE
PID 2752 wrote to memory of 2496	2752	svchost.com	949366~1.EXE
PID 2752 wrote to memory of 2496	2752	svchost.com	949366~1.EXE
PID 2496 wrote to memory of 2400	2496	949366~1.EXE	svchost.com
PID 2496 wrote to memory of 2400	2496	949366~1.EXE	svchost.com
PID 2496 wrote to memory of 2400	2496	949366~1.EXE	svchost.com
PID 2496 wrote to memory of 2400	2496	949366~1.EXE	svchost.com
PID 2400 wrote to memory of 1544	2400	svchost.com	949366~1.EXE
PID 2400 wrote to memory of 1544	2400	svchost.com	949366~1.EXE
PID 2400 wrote to memory of 1544	2400	svchost.com	949366~1.EXE
PID 2400 wrote to memory of 1544	2400	svchost.com	949366~1.EXE
PID 1544 wrote to memory of 2816	1544	949366~1.EXE	svchost.com
PID 1544 wrote to memory of 2816	1544	949366~1.EXE	svchost.com
PID 1544 wrote to memory of 2816	1544	949366~1.EXE	svchost.com
PID 1544 wrote to memory of 2816	1544	949366~1.EXE	svchost.com
PID 2816 wrote to memory of 2972	2816	svchost.com	949366~1.EXE
PID 2816 wrote to memory of 2972	2816	svchost.com	949366~1.EXE
PID 2816 wrote to memory of 2972	2816	svchost.com	949366~1.EXE
PID 2816 wrote to memory of 2972	2816	svchost.com	949366~1.EXE
PID 2972 wrote to memory of 1968	2972	949366~1.EXE	svchost.com
PID 2972 wrote to memory of 1968	2972	949366~1.EXE	svchost.com
PID 2972 wrote to memory of 1968	2972	949366~1.EXE	svchost.com
PID 2972 wrote to memory of 1968	2972	949366~1.EXE	svchost.com
PID 1968 wrote to memory of 1796	1968	svchost.com	svchost.com
PID 1968 wrote to memory of 1796	1968	svchost.com	svchost.com
PID 1968 wrote to memory of 1796	1968	svchost.com	svchost.com
PID 1968 wrote to memory of 1796	1968	svchost.com	svchost.com
PID 1796 wrote to memory of 1692	1796	949366~1.EXE	svchost.com
PID 1796 wrote to memory of 1692	1796	949366~1.EXE	svchost.com
PID 1796 wrote to memory of 1692	1796	949366~1.EXE	svchost.com
PID 1796 wrote to memory of 1692	1796	949366~1.EXE	svchost.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
"C:\Users\Admin\AppData\Local\Temp\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe"
2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
19⤵
- Executes dropped EXE
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
21⤵
- Executes dropped EXE
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
23⤵
- Executes dropped EXE
PID:2288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
25⤵
- Executes dropped EXE
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
27⤵
- Executes dropped EXE
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
29⤵
- Executes dropped EXE
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
31⤵
- Executes dropped EXE
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
33⤵
- Executes dropped EXE
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3008

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
35⤵
- Executes dropped EXE
PID:2864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
37⤵
- Executes dropped EXE
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
39⤵
- Executes dropped EXE
PID:2684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
41⤵
- Executes dropped EXE
PID:2796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
43⤵
- Executes dropped EXE
PID:2688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
45⤵
- Executes dropped EXE
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
47⤵
- Executes dropped EXE
PID:1136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
49⤵
- Executes dropped EXE
PID:1420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2840

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
51⤵
- Executes dropped EXE
PID:2332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
53⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
55⤵
- Executes dropped EXE
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
57⤵
- Executes dropped EXE
PID:1620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
59⤵
- Executes dropped EXE
PID:1488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
61⤵
- Executes dropped EXE
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
62⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
63⤵
- Executes dropped EXE
PID:2300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
65⤵
- Executes dropped EXE
PID:1056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
66⤵
- Executes dropped EXE
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
67⤵
- Drops file in Windows directory
PID:2288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
68⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
69⤵
PID:1880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
70⤵
- Drops file in Windows directory
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
71⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
72⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
73⤵
PID:944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
74⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
75⤵
PID:748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
76⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
77⤵
- Drops file in Windows directory
PID:2184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
78⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
79⤵
PID:3016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
80⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
81⤵
PID:3012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
82⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
83⤵
PID:2064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
84⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
85⤵
PID:2860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
86⤵
- Drops file in Windows directory
PID:2656

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
87⤵
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
88⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
89⤵
PID:2716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
90⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
91⤵
PID:2780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
92⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
93⤵
PID:2844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
94⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
95⤵
PID:2688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
96⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
97⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
98⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
99⤵
PID:2744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
100⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
101⤵
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
102⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
103⤵
PID:1624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
104⤵
- Drops file in Windows directory
PID:308

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
105⤵
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
106⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
107⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
108⤵
- Drops file in Windows directory
PID:1620

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
109⤵
- Drops file in Windows directory
PID:1680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
110⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
111⤵
- Drops file in Windows directory
PID:2236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
112⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
113⤵
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
114⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
115⤵
PID:2900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
116⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
117⤵
PID:776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
118⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
119⤵
PID:1476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
120⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
121⤵
PID:332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
122⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
123⤵
PID:352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
124⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
125⤵
- Drops file in Windows directory
PID:748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
126⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
127⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
128⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
129⤵
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
130⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
131⤵
- Drops file in Windows directory
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
132⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
133⤵
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
134⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
135⤵
PID:1588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
136⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
137⤵
PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
138⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
139⤵
PID:2672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
140⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
141⤵
PID:2792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
142⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
143⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
144⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
145⤵
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
146⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
147⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
148⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
149⤵
PID:2744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
150⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
151⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
152⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
153⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
154⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
155⤵
- Drops file in Windows directory
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
156⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
157⤵
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
158⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
159⤵
PID:1316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
160⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
161⤵
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
162⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
163⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
164⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
165⤵
PID:2900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
166⤵
- Drops file in Windows directory
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
167⤵
PID:2276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
168⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
169⤵
- Drops file in Windows directory
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
170⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
171⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
172⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
173⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
174⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
175⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
176⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
177⤵
PID:3040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
178⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
179⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
180⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
181⤵
PID:1492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
182⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
183⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
184⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
185⤵
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
186⤵
- Drops file in Windows directory
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
187⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
188⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
189⤵
PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
190⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
191⤵
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
192⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
193⤵
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
194⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
195⤵
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
196⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
197⤵
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
198⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
199⤵
PID:2104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
200⤵
- Drops file in Windows directory
PID:1532

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
201⤵
- Drops file in Windows directory
PID:2824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
202⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
203⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
204⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
205⤵
PID:2420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
206⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
207⤵
PID:1668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
208⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
209⤵
PID:2504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
210⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
211⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
212⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
213⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
214⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
215⤵
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
216⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
217⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
218⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
219⤵
- Drops file in Windows directory
PID:592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
220⤵
- Drops file in Windows directory
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
221⤵
PID:1476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
222⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
223⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
224⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
225⤵
- Drops file in Windows directory
PID:2948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
226⤵
- Drops file in Windows directory
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
227⤵
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
228⤵
- Drops file in Windows directory
PID:1304

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
229⤵
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
230⤵
- Drops file in Windows directory
PID:2044

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
231⤵
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
232⤵
- Drops file in Windows directory
PID:2944

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
233⤵
PID:2868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
234⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
235⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
236⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
237⤵
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
238⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
239⤵
PID:2412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
240⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
241⤵
PID:2680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
242⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
243⤵
PID:2716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
244⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
245⤵
PID:2560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
246⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
247⤵
PID:2592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
248⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
249⤵
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
250⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
251⤵
PID:2852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
252⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
253⤵
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
254⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
255⤵
PID:2332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
256⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
257⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
258⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
259⤵
PID:2200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
260⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
261⤵
PID:1620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
262⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
263⤵
PID:1132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
264⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
265⤵
PID:2832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
266⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
267⤵
PID:2844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
268⤵
- Drops file in Windows directory
PID:2100

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
269⤵
PID:2352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
270⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
271⤵
PID:2848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
272⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
273⤵
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
274⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
275⤵
PID:2224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
276⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
277⤵
PID:2948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
278⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
279⤵
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
280⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
281⤵
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
282⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
283⤵
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
284⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
285⤵
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
286⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
287⤵
PID:3008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
288⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
289⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
290⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
291⤵
- Drops file in Windows directory
PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
292⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
293⤵
PID:2664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
294⤵
- Drops file in Windows directory
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
295⤵
PID:2780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
296⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
297⤵
- Drops file in Windows directory
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
298⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
299⤵
- Drops file in Windows directory
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
300⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
301⤵
PID:2580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
302⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
303⤵
PID:1532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
304⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
305⤵
PID:2816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
306⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
307⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
308⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
309⤵
- Drops file in Windows directory
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
310⤵
- Drops file in Windows directory
PID:1668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
311⤵
PID:1392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
312⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
313⤵
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
314⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
315⤵
PID:840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
316⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
317⤵
PID:2112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
318⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
319⤵
PID:2904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
320⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
321⤵
PID:2352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
322⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
323⤵
PID:1880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
324⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
325⤵
PID:1760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
326⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
327⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
328⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
329⤵
PID:1212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
330⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
331⤵
PID:984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
332⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
333⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
334⤵
- Drops file in Windows directory
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
335⤵
PID:2868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
336⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
337⤵
PID:3036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
338⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
339⤵
PID:2740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
340⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
341⤵
PID:2668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
342⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
343⤵
PID:2644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
344⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
345⤵
PID:2792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
346⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
347⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
348⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
349⤵
PID:2392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
350⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
351⤵
PID:2812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
352⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
353⤵
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
354⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
355⤵
PID:2568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
356⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
357⤵
PID:2416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
358⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
359⤵
PID:2624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
360⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
361⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
362⤵
- Drops file in Windows directory
PID:1668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
363⤵
PID:2260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
364⤵
- Drops file in Windows directory
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
365⤵
PID:2244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
366⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
367⤵
- Drops file in Windows directory
PID:2300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
368⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
369⤵
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
370⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
371⤵
PID:2508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
372⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
373⤵
PID:576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
374⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
375⤵
PID:1604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
376⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
377⤵
PID:352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
378⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
379⤵
PID:748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
380⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
381⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
382⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
383⤵
- Drops file in Windows directory
PID:888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
384⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
385⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
386⤵
- Drops file in Windows directory
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
387⤵
- Drops file in Windows directory
PID:1872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
388⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
389⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
390⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
391⤵
- Drops file in Windows directory
PID:3068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
392⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
393⤵
PID:2536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
394⤵
- Drops file in Windows directory
PID:2684

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
395⤵
PID:2672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
396⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
397⤵
PID:2616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
398⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
399⤵
PID:2700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
400⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
401⤵
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
402⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
403⤵
- Drops file in Windows directory
PID:2580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
404⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
405⤵
PID:2588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
406⤵
- Drops file in Windows directory
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
407⤵
PID:308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
408⤵
- Drops file in Windows directory
PID:1624

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
409⤵
PID:1676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
410⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
411⤵
- Drops file in Windows directory
PID:2504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
412⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
413⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
414⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
415⤵
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
416⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
417⤵
- Drops file in Windows directory
PID:2908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
418⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
419⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
420⤵
- Drops file in Windows directory
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
421⤵
PID:988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
422⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
423⤵
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
424⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
425⤵
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
426⤵
- Drops file in Windows directory
PID:892

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
427⤵
- Drops file in Windows directory
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
428⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
429⤵
PID:944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
430⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
431⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
432⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
433⤵
PID:3024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
434⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
435⤵
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
436⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
437⤵
- Drops file in Windows directory
PID:1848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
438⤵
- Drops file in Windows directory
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
439⤵
PID:2636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
440⤵
- Drops file in Windows directory
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
441⤵
PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
442⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
443⤵
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
444⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
445⤵
PID:2552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
446⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
447⤵
PID:2544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
448⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
449⤵
PID:2604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
450⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
451⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
452⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
453⤵
PID:2744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
454⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
455⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
456⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
457⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
458⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
459⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
460⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
461⤵
PID:1996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
462⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
463⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
464⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
465⤵
PID:1488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
466⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
467⤵
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
468⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
469⤵
PID:2836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
470⤵
- Drops file in Windows directory
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
471⤵
PID:2856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
472⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
473⤵
PID:2276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
474⤵
- Drops file in Windows directory
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
475⤵
PID:608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
476⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
477⤵
PID:156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
478⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
479⤵
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
480⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
481⤵
PID:2928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
482⤵
- Drops file in Windows directory
PID:2072

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
483⤵
PID:2472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
484⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
485⤵
PID:1556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
486⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
487⤵
PID:2868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
488⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
489⤵
PID:2608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
490⤵
- Drops file in Windows directory
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
491⤵
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
492⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
493⤵
PID:2668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
494⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
495⤵
PID:2536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
496⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
497⤵
PID:2552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
498⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
499⤵
PID:2560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
500⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
501⤵
- Drops file in Windows directory
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
502⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
503⤵
PID:2592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
504⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
505⤵
PID:2548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
506⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
507⤵
- Adds Run key to start application
PID:2596

C:\Windows\mwupsrcvc.exe
C:\Windows\mwupsrcvc.exe
508⤵
- Windows security bypass
- Windows security modification
PID:2588

C:\Users\Admin\AppData\Local\Temp\713815124.exe
C:\Users\Admin\AppData\Local\Temp\713815124.exe
509⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
PID:1780

C:\Users\Admin\AppData\Local\Temp\3031422245.exe
C:\Users\Admin\AppData\Local\Temp\3031422245.exe
510⤵
- Adds Run key to start application
PID:592

C:\Windows\sysmablsvr.exe
C:\Windows\sysmablsvr.exe
511⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:1760

C:\Users\Admin\AppData\Local\Temp\2308427684.exe
C:\Users\Admin\AppData\Local\Temp\2308427684.exe
512⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\583725943.exe
C:\Users\Admin\AppData\Local\Temp\583725943.exe
512⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\1709216912.exe
C:\Users\Admin\AppData\Local\Temp\1709216912.exe
512⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\63267885.exe
C:\Users\Admin\AppData\Local\Temp\63267885.exe
512⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\1597320654.exe
C:\Users\Admin\AppData\Local\Temp\1597320654.exe
510⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\2888713801.exe
C:\Users\Admin\AppData\Local\Temp\2888713801.exe
511⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Users\Admin\AppData\Local\Temp\1334211679.exe
C:\Users\Admin\AppData\Local\Temp\1334211679.exe
510⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\301172749.exe
C:\Users\Admin\AppData\Local\Temp\301172749.exe
510⤵
- Adds Run key to start application
PID:2604

C:\Windows\winblrsnrcs.exe
C:\Windows\winblrsnrcs.exe
511⤵
- Modifies security service
- Windows security bypass
- Windows security modification
PID:2020

C:\Users\Admin\AppData\Local\Temp\2078416578.exe
C:\Users\Admin\AppData\Local\Temp\2078416578.exe
512⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\1017210368.exe
C:\Users\Admin\AppData\Local\Temp\1017210368.exe
512⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3754131393.exe
C:\Users\Admin\AppData\Local\Temp\3754131393.exe
512⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\1737410945.exe
C:\Users\Admin\AppData\Local\Temp\1737410945.exe
512⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2524

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {1FE730CB-391D-4FB1-95FE-7DA6EF0EB086} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
PID:1036

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe
Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE
Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE
Filesize
2.4MB

MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\2[1]
Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017210368.exe
Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1709216912.exe
Filesize
11KB

MD5
5c2f49dd60a69e1d1aaa39f872551585

SHA1
bdd4b2cafa1779cf61c7badfb7833ee4c953efad

SHA256
babf2231a52bfe5c7dbd026f80ce2494811ec706637d13c24eeca071e23f35d2

SHA512
46f3845c05d710ae5084fd6aabce9be7c2c8b0dd7a0b65472a5a736f7bbeb1f4904093ff29d03463008f8d77905ec4c940a7e3a3b124c937ebf3251c332164c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1709216912.exe
Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3031422245.exe
Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3039326692.exe
Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
Filesize
77KB

MD5
22aa63ba7abc7e9c395379d1fb9239cc

SHA1
16ddbfc7934ea678ac4449293f09e9b9962f1f05

SHA256
d8f37cadc7d254e526a1c516e21e820dc5b8ec836d4ff3f49f58e9613f785ff8

SHA512
db62db3a8ade0ea949a69574ff350bf9a4492c288207b91318e1818b6fe4d624af1211aecce2186cc09523b17dcb574151f48492ee16d1945ff26d920503b3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\583725943.exe
Filesize
10KB

MD5
6567b839ec69322ba1aa41b15fbd1e64

SHA1
0a2a0770afe094765a5eb88f6201847bf642bea9

SHA256
8a4b87ed94fc50767d0bc91291a8b8a436b941b273b29ab0d442ba1cc10b76fb

SHA512
2e4798244bf3891beea64ee0b0d106c6f47b7c7d6daf222af6192874dc0ef67491c82e93821c1ff9fbd25cf9ec50178e959adb466b210ff9754dd4e8387a30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\713815124.exe
Filesize
84KB

MD5
cd1d9c0ed8763e6bb3ee7efb133dc60e

SHA1
f6f3bea085ba7c13a2956fc0810c2034792f2ddf

SHA256
19ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100

SHA512
77b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QN8OM2QT32N8ZA3352PX.temp
Filesize
7KB

MD5
bba2f946a1fc274d81a316a3542502ba

SHA1
72e1e04aa99a925c60b29e468b992561ccc766cd

SHA256
e596cc5353cdda974e956cb6e94b9197f486725407acac6a9af9e9cbfe4eea3b

SHA512
3aec0378161b645449ec47f956a294404a3f80c2fae3de4d9ee0cce779b56a086a0231f1b9648a9d7ce318ef89b1b9250d5a37362d73995317b7f7e2ce319bc3

Download Submit
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
003462a89aa4b53b02a0d10e34417a0e

SHA1
d3f9ffe0658fbafd5bdab25aa9f9372ec683fd01

SHA256
195d6b4b4b26ad9197deef9df78d18cf8d01b95a5de169d41eac4742fcd25525

SHA512
dda8f81f282da808f644e0816e40dcfe29dc5c905619bdf026d23fde0d6ea99cbe6d3d904d74b099a40fd753e544899c685a614812d0992f783573dae6ac79f4

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\winblrsnrcs.exe
Filesize
18KB

MD5
30dca8b68825d5b3db7a685aa3da0a13

SHA1
07320822d14d6caf8825dd6d806c0cde398584f3

SHA256
f2dc635cb5fe8b8815ea98d909b67016975ca8e5a43cb39e47595ecd01038a96

SHA512
b5f3be086d3f7c751028d8d8a025069743b2472cec10252627f5583492383a5a865e88ad5839d83bf3a3c31b5b630753e77a2c02433d7fbe90aa11acd0f35f0c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
Filesize
117KB

MD5
ce7bd1e16c69eebe428e255a1eca5176

SHA1
21e50879b31b81a9e627544e107a31cb2c1742be

SHA256
477ae49579b1d43a997c8f9955758a2da5f3df3882d1841258e3972f4242b530

SHA512
96c9268ca8a9ca1fd7faefc11a6381e3911b9afabf7b3dd5758de9d225605973ff16c28e4fd2e763c6db64c268b5a983ec19728978f329902a2be65e79260ca0

Download Submit
memory/536-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/768-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1056-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1132-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1192-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1420-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1488-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1544-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-165-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1888-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2020-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-164-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2300-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2496-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-2256-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2668-2255-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2684-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-2275-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2700-2274-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2700-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-43-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2916-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2972-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download