neshta | 9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
Size

158KB
MD5

629205c3fafec1ec163409031790146d
SHA1

1bd9432378e21774324a4f0e34f4f6933ccb94b0
SHA256

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79
SHA512

40305f90a85572da5269c0f5c9589f5ddb5c603e8cad6faebc2f9de53cdee99781970447f194822ed912c77f3abe0956996d4ee4e1f7edd4c7b06b497ada6e45
SSDEEP

1536:JxqjQ+P04wsmJCu8SBKygMc5FWF96RDW3Mz8c+nowfs6Zfe7MI8ACc+aprlOxqjh:sr85CpSfg5Fo6xdwc+08anp9r85C

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/3600-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2556-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4336-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5068-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3872-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/912-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4460-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3868-62-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5028-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3604-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4164-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
behavioral2/memory/1612-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
behavioral2/memory/4892-114-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
behavioral2/memory/2036-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/464-126-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3444-130-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
behavioral2/memory/2480-179-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
behavioral2/memory/1080-212-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4324-221-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3428-214-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4456-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/880-244-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3432-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2356-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2596-262-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4156-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3556-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4864-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4728-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4184-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3164-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4788-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4660-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1352-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3160-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4708-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3736-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysmablsvr.exewinblrsnrcs.exe294231135.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	294231135.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Phorphiex payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	family_phorphiex
C:\Windows\mwupsrcvc.exe	family_phorphiex
C:\Windows\sysvratrel.exe	family_phorphiex
C:\Windows\sysmablsvr.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3654830204.exewupgrdsv.exe

description	pid	process	target process
PID 2968 created 3512	2968	3654830204.exe	Explorer.EXE
PID 2968 created 3512	2968	3654830204.exe	Explorer.EXE
PID 3700 created 3512	3700	wupgrdsv.exe	Explorer.EXE
PID 3700 created 3512	3700	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winblrsnrcs.exemwupsrcvc.exe294231135.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	294231135.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	949366~1.EXE

Executes dropped EXE 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com

pid	process
2692	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
3600	svchost.com
2556	949366~1.EXE
4336	svchost.com
5068	949366~1.EXE
3872	svchost.com
912	949366~1.EXE
4460	svchost.com
3868	949366~1.EXE
5028	svchost.com
3604	949366~1.EXE
4164	svchost.com
1612	949366~1.EXE
4892	svchost.com
2036	949366~1.EXE
464	svchost.com
3444	949366~1.EXE
2480	svchost.com
1080	949366~1.EXE
3428	svchost.com
4324	949366~1.EXE
4456	svchost.com
880	949366~1.EXE
3432	svchost.com
2356	949366~1.EXE
2596	svchost.com
4156	949366~1.EXE
3556	svchost.com
4864	949366~1.EXE
4728	svchost.com
4184	949366~1.EXE
3164	svchost.com
4788	949366~1.EXE
4660	svchost.com
1352	949366~1.EXE
2576	svchost.com
3160	949366~1.EXE
4708	svchost.com
3736	949366~1.EXE
3892	svchost.com
2172	949366~1.EXE
2684	svchost.com
5088	949366~1.EXE
4832	svchost.com
4756	949366~1.EXE
1744	svchost.com
3668	949366~1.EXE
4456	svchost.com
3548	949366~1.EXE
2368	svchost.com
3432	949366~1.EXE
1492	svchost.com
636	949366~1.EXE
5024	svchost.com
1104	949366~1.EXE
4732	svchost.com
2776	949366~1.EXE
1472	svchost.com
3164	949366~1.EXE
2812	svchost.com
4432	949366~1.EXE
3612	svchost.com
4580	949366~1.EXE
4468	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

294231135.exemwupsrcvc.exesysmablsvr.exewinblrsnrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	mwupsrcvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	294231135.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

762519103.exe949366~1.EXE294231135.exe337305550.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblrsnrcs.exe"	762519103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\mwupsrcvc.exe"	949366~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	294231135.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	294231135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	337305550.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 3700 set thread context of 1152 3700 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 3700 set thread context of 1152	3700	wupgrdsv.exe	notepad.exe

Drops file in Program Files directory 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_click_helper.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_pwa_launcher.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_helper.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.com949366~1.EXE949366~1.EXEsvchost.com949366~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXE949366~1.EXEsvchost.comsvchost.com949366~1.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\directx.sys	949366~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE949366~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	949366~1.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3654830204.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2968	3654830204.exe
2968	3654830204.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
2968	3654830204.exe
2968	3654830204.exe
3700	wupgrdsv.exe
3700	wupgrdsv.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
3700	wupgrdsv.exe
3700	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

294231135.exesysmablsvr.exe

pid process

720 294231135.exe
2576 sysmablsvr.exe

pid	process
720	294231135.exe
2576	sysmablsvr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeIncreaseQuotaPrivilege	3472	powershell.exe
Token: SeSecurityPrivilege	3472	powershell.exe
Token: SeTakeOwnershipPrivilege	3472	powershell.exe
Token: SeLoadDriverPrivilege	3472	powershell.exe
Token: SeSystemProfilePrivilege	3472	powershell.exe
Token: SeSystemtimePrivilege	3472	powershell.exe
Token: SeProfSingleProcessPrivilege	3472	powershell.exe
Token: SeIncBasePriorityPrivilege	3472	powershell.exe
Token: SeCreatePagefilePrivilege	3472	powershell.exe
Token: SeBackupPrivilege	3472	powershell.exe
Token: SeRestorePrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeSystemEnvironmentPrivilege	3472	powershell.exe
Token: SeRemoteShutdownPrivilege	3472	powershell.exe
Token: SeUndockPrivilege	3472	powershell.exe
Token: SeManageVolumePrivilege	3472	powershell.exe
Token: 33	3472	powershell.exe
Token: 34	3472	powershell.exe
Token: 35	3472	powershell.exe
Token: 36	3472	powershell.exe
Token: SeIncreaseQuotaPrivilege	3472	powershell.exe
Token: SeSecurityPrivilege	3472	powershell.exe
Token: SeTakeOwnershipPrivilege	3472	powershell.exe
Token: SeLoadDriverPrivilege	3472	powershell.exe
Token: SeSystemProfilePrivilege	3472	powershell.exe
Token: SeSystemtimePrivilege	3472	powershell.exe
Token: SeProfSingleProcessPrivilege	3472	powershell.exe
Token: SeIncBasePriorityPrivilege	3472	powershell.exe
Token: SeCreatePagefilePrivilege	3472	powershell.exe
Token: SeBackupPrivilege	3472	powershell.exe
Token: SeRestorePrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeSystemEnvironmentPrivilege	3472	powershell.exe
Token: SeRemoteShutdownPrivilege	3472	powershell.exe
Token: SeUndockPrivilege	3472	powershell.exe
Token: SeManageVolumePrivilege	3472	powershell.exe
Token: 33	3472	powershell.exe
Token: 34	3472	powershell.exe
Token: 35	3472	powershell.exe
Token: 36	3472	powershell.exe
Token: SeIncreaseQuotaPrivilege	3472	powershell.exe
Token: SeSecurityPrivilege	3472	powershell.exe
Token: SeTakeOwnershipPrivilege	3472	powershell.exe
Token: SeLoadDriverPrivilege	3472	powershell.exe
Token: SeSystemProfilePrivilege	3472	powershell.exe
Token: SeSystemtimePrivilege	3472	powershell.exe
Token: SeProfSingleProcessPrivilege	3472	powershell.exe
Token: SeIncBasePriorityPrivilege	3472	powershell.exe
Token: SeCreatePagefilePrivilege	3472	powershell.exe
Token: SeBackupPrivilege	3472	powershell.exe
Token: SeRestorePrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeSystemEnvironmentPrivilege	3472	powershell.exe
Token: SeRemoteShutdownPrivilege	3472	powershell.exe
Token: SeUndockPrivilege	3472	powershell.exe
Token: SeManageVolumePrivilege	3472	powershell.exe
Token: 33	3472	powershell.exe
Token: 34	3472	powershell.exe
Token: 35	3472	powershell.exe
Token: 36	3472	powershell.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

notepad.exe

pid	process
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

notepad.exe

pid	process
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe
1152	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exesvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXEsvchost.com949366~1.EXE

description	pid	process	target process
PID 4060 wrote to memory of 2692	4060	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 4060 wrote to memory of 2692	4060	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 4060 wrote to memory of 2692	4060	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
PID 2692 wrote to memory of 3600	2692	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2692 wrote to memory of 3600	2692	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 2692 wrote to memory of 3600	2692	9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe	svchost.com
PID 3600 wrote to memory of 2556	3600	svchost.com	949366~1.EXE
PID 3600 wrote to memory of 2556	3600	svchost.com	949366~1.EXE
PID 3600 wrote to memory of 2556	3600	svchost.com	949366~1.EXE
PID 2556 wrote to memory of 4336	2556	949366~1.EXE	svchost.com
PID 2556 wrote to memory of 4336	2556	949366~1.EXE	svchost.com
PID 2556 wrote to memory of 4336	2556	949366~1.EXE	svchost.com
PID 4336 wrote to memory of 5068	4336	svchost.com	949366~1.EXE
PID 4336 wrote to memory of 5068	4336	svchost.com	949366~1.EXE
PID 4336 wrote to memory of 5068	4336	svchost.com	949366~1.EXE
PID 5068 wrote to memory of 3872	5068	949366~1.EXE	svchost.com
PID 5068 wrote to memory of 3872	5068	949366~1.EXE	svchost.com
PID 5068 wrote to memory of 3872	5068	949366~1.EXE	svchost.com
PID 3872 wrote to memory of 912	3872	svchost.com	svchost.com
PID 3872 wrote to memory of 912	3872	svchost.com	svchost.com
PID 3872 wrote to memory of 912	3872	svchost.com	svchost.com
PID 912 wrote to memory of 4460	912	949366~1.EXE	svchost.com
PID 912 wrote to memory of 4460	912	949366~1.EXE	svchost.com
PID 912 wrote to memory of 4460	912	949366~1.EXE	svchost.com
PID 4460 wrote to memory of 3868	4460	svchost.com	949366~1.EXE
PID 4460 wrote to memory of 3868	4460	svchost.com	949366~1.EXE
PID 4460 wrote to memory of 3868	4460	svchost.com	949366~1.EXE
PID 3868 wrote to memory of 5028	3868	949366~1.EXE	svchost.com
PID 3868 wrote to memory of 5028	3868	949366~1.EXE	svchost.com
PID 3868 wrote to memory of 5028	3868	949366~1.EXE	svchost.com
PID 5028 wrote to memory of 3604	5028	svchost.com	949366~1.EXE
PID 5028 wrote to memory of 3604	5028	svchost.com	949366~1.EXE
PID 5028 wrote to memory of 3604	5028	svchost.com	949366~1.EXE
PID 3604 wrote to memory of 4164	3604	949366~1.EXE	svchost.com
PID 3604 wrote to memory of 4164	3604	949366~1.EXE	svchost.com
PID 3604 wrote to memory of 4164	3604	949366~1.EXE	svchost.com
PID 4164 wrote to memory of 1612	4164	svchost.com	949366~1.EXE
PID 4164 wrote to memory of 1612	4164	svchost.com	949366~1.EXE
PID 4164 wrote to memory of 1612	4164	svchost.com	949366~1.EXE
PID 1612 wrote to memory of 4892	1612	949366~1.EXE	svchost.com
PID 1612 wrote to memory of 4892	1612	949366~1.EXE	svchost.com
PID 1612 wrote to memory of 4892	1612	949366~1.EXE	svchost.com
PID 4892 wrote to memory of 2036	4892	svchost.com	949366~1.EXE
PID 4892 wrote to memory of 2036	4892	svchost.com	949366~1.EXE
PID 4892 wrote to memory of 2036	4892	svchost.com	949366~1.EXE
PID 2036 wrote to memory of 464	2036	949366~1.EXE	svchost.com
PID 2036 wrote to memory of 464	2036	949366~1.EXE	svchost.com
PID 2036 wrote to memory of 464	2036	949366~1.EXE	svchost.com
PID 464 wrote to memory of 3444	464	svchost.com	949366~1.EXE
PID 464 wrote to memory of 3444	464	svchost.com	949366~1.EXE
PID 464 wrote to memory of 3444	464	svchost.com	949366~1.EXE
PID 3444 wrote to memory of 2480	3444	949366~1.EXE	svchost.com
PID 3444 wrote to memory of 2480	3444	949366~1.EXE	svchost.com
PID 3444 wrote to memory of 2480	3444	949366~1.EXE	svchost.com
PID 2480 wrote to memory of 1080	2480	svchost.com	949366~1.EXE
PID 2480 wrote to memory of 1080	2480	svchost.com	949366~1.EXE
PID 2480 wrote to memory of 1080	2480	svchost.com	949366~1.EXE
PID 1080 wrote to memory of 3428	1080	949366~1.EXE	svchost.com
PID 1080 wrote to memory of 3428	1080	949366~1.EXE	svchost.com
PID 1080 wrote to memory of 3428	1080	949366~1.EXE	svchost.com
PID 3428 wrote to memory of 4324	3428	svchost.com	949366~1.EXE
PID 3428 wrote to memory of 4324	3428	svchost.com	949366~1.EXE
PID 3428 wrote to memory of 4324	3428	svchost.com	949366~1.EXE
PID 4324 wrote to memory of 4456	4324	949366~1.EXE	svchost.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
"C:\Users\Admin\AppData\Local\Temp\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
25⤵
- Executes dropped EXE
PID:880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
26⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
27⤵
- Executes dropped EXE
- Modifies registry class
PID:2356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
29⤵
- Executes dropped EXE
PID:4156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
30⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
32⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
33⤵
- Executes dropped EXE
- Modifies registry class
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
34⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
36⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
37⤵
- Checks computer location settings
- Executes dropped EXE
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
39⤵
- Executes dropped EXE
- Modifies registry class
PID:3160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
40⤵
- Executes dropped EXE
PID:4708

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
41⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
42⤵
- Executes dropped EXE
PID:3892

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
43⤵
- Executes dropped EXE
PID:2172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
44⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
45⤵
- Checks computer location settings
- Executes dropped EXE
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4832

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
47⤵
- Executes dropped EXE
- Modifies registry class
PID:4756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
49⤵
- Executes dropped EXE
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
51⤵
- Checks computer location settings
- Executes dropped EXE
PID:3548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
53⤵
- Executes dropped EXE
- Modifies registry class
PID:3432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
54⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
55⤵
- Executes dropped EXE
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
56⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
57⤵
- Executes dropped EXE
- Modifies registry class
PID:1104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
58⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
59⤵
- Executes dropped EXE
PID:2776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
60⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
61⤵
- Executes dropped EXE
PID:3164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
63⤵
- Executes dropped EXE
- Modifies registry class
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
64⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
65⤵
- Executes dropped EXE
- Modifies registry class
PID:4580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
66⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
67⤵
PID:4112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
68⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
69⤵
- Checks computer location settings
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
70⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
71⤵
PID:2980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
72⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
73⤵
- Drops file in Windows directory
- Modifies registry class
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
74⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
75⤵
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
76⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
77⤵
PID:5004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
78⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
79⤵
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
80⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
81⤵
- Checks computer location settings
PID:3408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
82⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
83⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
84⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
85⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
86⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
87⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
88⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
89⤵
- Modifies registry class
PID:1252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
90⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
91⤵
PID:2920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
92⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
93⤵
- Checks computer location settings
- Modifies registry class
PID:4880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
94⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
95⤵
- Checks computer location settings
PID:4380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
96⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
97⤵
- Checks computer location settings
PID:3728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
98⤵
- Drops file in Windows directory
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
99⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
100⤵
- Drops file in Windows directory
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
101⤵
- Checks computer location settings
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
102⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
103⤵
- Checks computer location settings
- Modifies registry class
PID:3124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
104⤵
- Drops file in Windows directory
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
105⤵
- Modifies registry class
PID:5004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
106⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
107⤵
- Checks computer location settings
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
108⤵
- Drops file in Windows directory
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
109⤵
- Modifies registry class
PID:4072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
110⤵
- Drops file in Windows directory
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
111⤵
- Checks computer location settings
- Drops file in Windows directory
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
112⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
113⤵
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
114⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
115⤵
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
116⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
117⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
118⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
119⤵
- Checks computer location settings
PID:4820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
120⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
121⤵
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
122⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
123⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
124⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
125⤵
PID:3548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
126⤵
- Drops file in Windows directory
PID:2596

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
127⤵
PID:4156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
128⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
129⤵
- Drops file in Windows directory
- Modifies registry class
PID:4836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
130⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
131⤵
PID:1240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
132⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
133⤵
- Checks computer location settings
PID:4448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
134⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
135⤵
PID:3276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
136⤵
- Drops file in Windows directory
PID:3736

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
137⤵
- Checks computer location settings
PID:3084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
138⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
139⤵
- Checks computer location settings
PID:544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
140⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
141⤵
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
142⤵
- Drops file in Windows directory
PID:600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
143⤵
PID:4128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
144⤵
- Drops file in Windows directory
PID:556

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
145⤵
- Drops file in Windows directory
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
146⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
147⤵
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
148⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
149⤵
- Modifies registry class
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
150⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
151⤵
- Modifies registry class
PID:3576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
152⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
153⤵
- Checks computer location settings
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
154⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
155⤵
- Modifies registry class
PID:3440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
156⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
157⤵
- Checks computer location settings
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
158⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
159⤵
- Checks computer location settings
- Modifies registry class
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
160⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
161⤵
PID:600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
162⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
163⤵
PID:556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
164⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
165⤵
- Modifies registry class
PID:3524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
166⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
167⤵
- Checks computer location settings
PID:3936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
168⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
169⤵
- Checks computer location settings
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
170⤵
- Drops file in Windows directory
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
171⤵
- Modifies registry class
PID:2416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
172⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
173⤵
- Modifies registry class
PID:3428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
174⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
175⤵
- Checks computer location settings
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
176⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
177⤵
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
178⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
179⤵
PID:4888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
180⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
181⤵
- Checks computer location settings
PID:556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
182⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
183⤵
- Drops file in Windows directory
- Modifies registry class
PID:4836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
184⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
185⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
186⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
187⤵
PID:2196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
188⤵
- Drops file in Windows directory
PID:4296

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
189⤵
- Drops file in Windows directory
PID:3612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
190⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
191⤵
- Drops file in Windows directory
- Modifies registry class
PID:4812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
192⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
193⤵
- Checks computer location settings
- Modifies registry class
PID:2100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
194⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
195⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
196⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
197⤵
- Drops file in Windows directory
- Modifies registry class
PID:2464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
198⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
199⤵
PID:3556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
200⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
201⤵
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
202⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
203⤵
PID:3732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
204⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
205⤵
- Modifies registry class
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
206⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
207⤵
- Modifies registry class
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
208⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
209⤵
PID:2192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
210⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
211⤵
PID:2416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
212⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
213⤵
PID:1136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
214⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
215⤵
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
216⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
217⤵
- Checks computer location settings
- Drops file in Windows directory
PID:600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
218⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
219⤵
- Drops file in Windows directory
- Modifies registry class
PID:4364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
220⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
221⤵
PID:4668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
222⤵
- Drops file in Windows directory
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
223⤵
PID:4788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
224⤵
- Drops file in Windows directory
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
225⤵
PID:464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
226⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
227⤵
- Checks computer location settings
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
228⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
229⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
230⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
231⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
232⤵
- Drops file in Windows directory
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
233⤵
- Checks computer location settings
- Modifies registry class
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
234⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
235⤵
- Checks computer location settings
- Modifies registry class
PID:3944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
236⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
237⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
238⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
239⤵
- Modifies registry class
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
240⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
241⤵
- Checks computer location settings
- Modifies registry class
PID:2808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
242⤵
- Drops file in Windows directory
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
243⤵
PID:2812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
244⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
245⤵
- Checks computer location settings
PID:3204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
246⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
247⤵
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
248⤵
- Drops file in Windows directory
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
249⤵
- Checks computer location settings
- Modifies registry class
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
250⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
251⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
252⤵
- Drops file in Windows directory
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
253⤵
PID:2448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
254⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
255⤵
- Checks computer location settings
PID:4652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
256⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
257⤵
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
258⤵
- Drops file in Windows directory
PID:4364

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
259⤵
- Modifies registry class
PID:2368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
260⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
261⤵
- Checks computer location settings
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
262⤵
- Drops file in Windows directory
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
263⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
264⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
265⤵
PID:2500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
266⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
267⤵
PID:4860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
268⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
269⤵
PID:3276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
270⤵
- Drops file in Windows directory
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
271⤵
PID:2100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
272⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
273⤵
- Modifies registry class
PID:4420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
274⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
275⤵
- Modifies registry class
PID:4904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
276⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
277⤵
- Checks computer location settings
- Modifies registry class
PID:2684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
278⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
279⤵
- Drops file in Windows directory
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
280⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
281⤵
- Drops file in Windows directory
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
282⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
283⤵
- Checks computer location settings
PID:5096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
284⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
285⤵
- Drops file in Windows directory
- Modifies registry class
PID:2240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
286⤵
- Drops file in Windows directory
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
287⤵
- Checks computer location settings
PID:2100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
288⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
289⤵
PID:4420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
290⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
291⤵
- Checks computer location settings
PID:4268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
292⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
293⤵
- Checks computer location settings
- Modifies registry class
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
294⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
295⤵
- Checks computer location settings
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
296⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
297⤵
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
298⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
299⤵
- Checks computer location settings
- Modifies registry class
PID:3272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
300⤵
- Drops file in Windows directory
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
301⤵
- Modifies registry class
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
302⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
303⤵
- Modifies registry class
PID:2480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
304⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
305⤵
PID:1604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
306⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
307⤵
- Drops file in Windows directory
- Modifies registry class
PID:2824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
308⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
309⤵
PID:4796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
310⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
311⤵
- Drops file in Windows directory
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
312⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
313⤵
- Drops file in Windows directory
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
314⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
315⤵
- Checks computer location settings
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
316⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
317⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
318⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
319⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
320⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
321⤵
PID:2436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
322⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
323⤵
- Checks computer location settings
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
324⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
325⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
326⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
327⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
328⤵
- Drops file in Windows directory
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
329⤵
- Checks computer location settings
PID:3124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
330⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
331⤵
- Checks computer location settings
- Modifies registry class
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
332⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
333⤵
- Modifies registry class
PID:528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
334⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
335⤵
- Modifies registry class
PID:2480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
336⤵
- Drops file in Windows directory
PID:3524

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
337⤵
PID:2684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
338⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
339⤵
- Modifies registry class
PID:2500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
340⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
341⤵
- Modifies registry class
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
342⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
343⤵
- Checks computer location settings
- Modifies registry class
PID:5096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
344⤵
- Drops file in Windows directory
PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
345⤵
- Checks computer location settings
- Modifies registry class
PID:4192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
346⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
347⤵
- Checks computer location settings
- Modifies registry class
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
348⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
349⤵
- Drops file in Windows directory
PID:2240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
350⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
351⤵
- Checks computer location settings
- Modifies registry class
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
352⤵
- Drops file in Windows directory
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
353⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
354⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
355⤵
- Checks computer location settings
- Modifies registry class
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
356⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
357⤵
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
358⤵
- Drops file in Windows directory
PID:4840

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
359⤵
- Checks computer location settings
- Modifies registry class
PID:3104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
360⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
361⤵
PID:4100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
362⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
363⤵
- Modifies registry class
PID:3776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
364⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
365⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
366⤵
- Drops file in Windows directory
PID:4904

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
367⤵
- Checks computer location settings
- Modifies registry class
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
368⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
369⤵
- Checks computer location settings
PID:2272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE"
370⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\949366~1.EXE
371⤵
- Adds Run key to start application
PID:3092

C:\Windows\mwupsrcvc.exe
C:\Windows\mwupsrcvc.exe
372⤵
- Windows security bypass
- Windows security modification
PID:4860

C:\Users\Admin\AppData\Local\Temp\294231135.exe
C:\Users\Admin\AppData\Local\Temp\294231135.exe
373⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
PID:720

C:\Users\Admin\AppData\Local\Temp\337305550.exe
C:\Users\Admin\AppData\Local\Temp\337305550.exe
374⤵
- Adds Run key to start application
PID:2436

C:\Windows\sysmablsvr.exe
C:\Windows\sysmablsvr.exe
375⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:2576

C:\Users\Admin\AppData\Local\Temp\1500011205.exe
C:\Users\Admin\AppData\Local\Temp\1500011205.exe
376⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\308149662.exe
C:\Users\Admin\AppData\Local\Temp\308149662.exe
376⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\1534333491.exe
C:\Users\Admin\AppData\Local\Temp\1534333491.exe
376⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\254924911.exe
C:\Users\Admin\AppData\Local\Temp\254924911.exe
376⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\220043909.exe
C:\Users\Admin\AppData\Local\Temp\220043909.exe
374⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3654830204.exe
C:\Users\Admin\AppData\Local\Temp\3654830204.exe
375⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Users\Admin\AppData\Local\Temp\2309528042.exe
C:\Users\Admin\AppData\Local\Temp\2309528042.exe
374⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\762519103.exe
C:\Users\Admin\AppData\Local\Temp\762519103.exe
374⤵
- Adds Run key to start application
PID:3588

C:\Windows\winblrsnrcs.exe
C:\Windows\winblrsnrcs.exe
375⤵
- Modifies security service
- Windows security bypass
- Windows security modification
PID:3936

C:\Users\Admin\AppData\Local\Temp\2811134215.exe
C:\Users\Admin\AppData\Local\Temp\2811134215.exe
376⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\1538026043.exe
C:\Users\Admin\AppData\Local\Temp\1538026043.exe
376⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\1952520216.exe
C:\Users\Admin\AppData\Local\Temp\1952520216.exe
376⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\2827728613.exe
C:\Users\Admin\AppData\Local\Temp\2827728613.exe
376⤵
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3524

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3164

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hnEc6sYhzUuKLLfQVxt3fA.0.2
1⤵
PID:4156

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe
Filesize
598KB

MD5
ac0d708bbcd017ea66c1e5342769247f

SHA1
80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832

SHA256
9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2

SHA512
4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe
Filesize
6.8MB

MD5
3c6af29363b09b1fe010b098eb483da8

SHA1
a3eb972dad6881268d5aec7db7a5b3112d0d5f82

SHA256
82ff701fb161ceff3a018b7a744a71c9e88b7009e32792499b742c2b0a88ec01

SHA512
6fbff42fca39c93a972e55b227f05a507ea494a4cd22a0e09c578c144bb9bc3eea9ab8402ffa1f1c7e10bd53c4384e68049aeb51d729629cc9f0624d0fd747fa

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe
Filesize
162KB

MD5
452b247061b3cf1def0aceee27b4a522

SHA1
2ce1a0ce564e41095691184682518826db1d7e9c

SHA256
484ca6e9fbfea88a939ff7cc511ac52b40631554efaf35ffc210dd56f2b2d9fa

SHA512
d395a82ac1e4e4a926b91e8ee465a2f457f20e011822c08ad17282378382dfe980b13b979db9aadce201df41c27922f77ba4c18b81c336744cfcf955b42c1f21

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe
Filesize
1.8MB

MD5
f6d23b507a70dc334edc1f7a83f23f35

SHA1
faad9c7cc838feca898f79a59ee3fc172b4c793b

SHA256
66c7ddec71930588f69aa9b2ea682a4b5e166ff4d12e3a053b6bc73b44f24992

SHA512
cce30fb7085c6b833532b5d64c6d2c9af9a5dd9b1b74832a2c526ea1944c360bbdb7e0d65de6f9db068a650c0abcd65490e33240618e8e8fd0da0348dd00022d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe
Filesize
1.2MB

MD5
f4c739b8d39e94691f85aca0f3007eed

SHA1
8f0ba5301a025835a024dcf9312fdddf8d49cba2

SHA256
95cfee63090a0368c1d5e49a7e6d3b0f219a6ff1fb4e835bbab9e7689d273d47

SHA512
ef35fb3857a8a192223bf5f49cd9f7a4007fbb5c34171a3f42900dad1db7b4d1b20804b2c1c296ad4950942d0a92c4d5ab8e495aeed0e350bc4f216cdfff8b4b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe
Filesize
3.9MB

MD5
f72b423cf9cc798732925eed3cf2e60c

SHA1
79704a4604020a0f6e7ae63d1be486cdbe08e061

SHA256
a978d5aa986b25b229b3c45120b9cac1f223497cfb870c869b86aedcdc4602f1

SHA512
0d72aaf9fa6acc92da60c34f59c72fa07ec5d857dfeea114613bc94de44154fa2d6a94aa8dea47a8212e74776c76b8cc2049f787d726361400521f724458c55f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe
Filesize
3.5MB

MD5
8d02e12a6e12a15882584f2ce59c93cb

SHA1
d868bf3c491e5f8cd1c9dd0e11f962408053a655

SHA256
0eb172c21b63cce9fb42a2692a2b298c2e9800ff0d74994956d8bd82029ec897

SHA512
19155cdd269430f6f2c88a3e404f099548166a0f7c333148db38dbee964323b51e6b90715b2d2d16f786a1b59147f74160e308eb66bc737a9fd26a7b3485247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1534333491.exe
Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\308149662.exe
Filesize
10KB

MD5
7c87cc439123fea37a7c1e459ae1d657

SHA1
75a058b3de5457b56abd5066ea4749449a7af6e3

SHA256
d4ef7cc0fac2ac0cddd7e20aceeb7f028f317f56bd3d912f7f869b019015a086

SHA512
588ef28e19149381b00de351493e39558786660e2e6d89575a84022121cb980f2d3ad3e753643b1f1833ec0ef28b16f5f0ea39bae1dd5bf0f3114a511c87cb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\308149662.exe
Filesize
10KB

MD5
6567b839ec69322ba1aa41b15fbd1e64

SHA1
0a2a0770afe094765a5eb88f6201847bf642bea9

SHA256
8a4b87ed94fc50767d0bc91291a8b8a436b941b273b29ab0d442ba1cc10b76fb

SHA512
2e4798244bf3891beea64ee0b0d106c6f47b7c7d6daf222af6192874dc0ef67491c82e93821c1ff9fbd25cf9ec50178e959adb466b210ff9754dd4e8387a30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79.exe
Filesize
117KB

MD5
ce7bd1e16c69eebe428e255a1eca5176

SHA1
21e50879b31b81a9e627544e107a31cb2c1742be

SHA256
477ae49579b1d43a997c8f9955758a2da5f3df3882d1841258e3972f4242b530

SHA512
96c9268ca8a9ca1fd7faefc11a6381e3911b9afabf7b3dd5758de9d225605973ff16c28e4fd2e763c6db64c268b5a983ec19728978f329902a2be65e79260ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\638017043.exe
Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwnnhzw4.3b4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
003462a89aa4b53b02a0d10e34417a0e

SHA1
d3f9ffe0658fbafd5bdab25aa9f9372ec683fd01

SHA256
195d6b4b4b26ad9197deef9df78d18cf8d01b95a5de169d41eac4742fcd25525

SHA512
dda8f81f282da808f644e0816e40dcfe29dc5c905619bdf026d23fde0d6ea99cbe6d3d904d74b099a40fd753e544899c685a614812d0992f783573dae6ac79f4

Download Submit
C:\Windows\mwupsrcvc.exe
Filesize
77KB

MD5
22aa63ba7abc7e9c395379d1fb9239cc

SHA1
16ddbfc7934ea678ac4449293f09e9b9962f1f05

SHA256
d8f37cadc7d254e526a1c516e21e820dc5b8ec836d4ff3f49f58e9613f785ff8

SHA512
db62db3a8ade0ea949a69574ff350bf9a4492c288207b91318e1818b6fe4d624af1211aecce2186cc09523b17dcb574151f48492ee16d1945ff26d920503b3af

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\sysmablsvr.exe
Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Windows\sysvratrel.exe
Filesize
84KB

MD5
cd1d9c0ed8763e6bb3ee7efb133dc60e

SHA1
f6f3bea085ba7c13a2956fc0810c2034792f2ddf

SHA256
19ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100

SHA512
77b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591

Download Submit
C:\Windows\winblrsnrcs.exe
Filesize
18KB

MD5
30dca8b68825d5b3db7a685aa3da0a13

SHA1
07320822d14d6caf8825dd6d806c0cde398584f3

SHA256
f2dc635cb5fe8b8815ea98d909b67016975ca8e5a43cb39e47595ecd01038a96

SHA512
b5f3be086d3f7c751028d8d8a025069743b2472cec10252627f5583492383a5a865e88ad5839d83bf3a3c31b5b630753e77a2c02433d7fbe90aa11acd0f35f0c

Download Submit
memory/464-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/636-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/880-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/912-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1080-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2172-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2480-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2812-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3164-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3164-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3428-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-1335-0x0000011FFA310000-0x0000011FFA332000-memory.dmp

Filesize
136KB

Download
memory/3548-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3556-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3600-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3604-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3612-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3736-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3868-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3872-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4112-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4156-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4164-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4184-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4324-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4336-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4460-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4468-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4660-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4708-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4732-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4756-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4788-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4832-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4864-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4892-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5024-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5068-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5088-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download