neshta | 0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
Size

156KB
MD5

aa28630b1d123bb45b7362d0b4c4b100
SHA1

acdf7d95d6f81103271c81652ce5c3ca37dabab7
SHA256

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c
SHA512

b92341f0fed290a10f660294626a92e41a82c3b9858075200ee76c25e3d750a0ddbe76921ab2c7aeac328e29d7fa97bedc4d47adb83a60aef8695c6392694fd7
SSDEEP

1536:JxqjQ+P04wsmJCwugrZpVnWw7V15Frrmie3Mz8enofIxQrFP+ZruOxqjQ+P04wsX:sr85CwugDVnj7V15FrvweZQhGZwr85C

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/4600-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4124-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1972-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3432-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3192-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1824-50-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5004-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/768-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3868-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4928-75-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1352-77-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
behavioral2/memory/2136-101-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
behavioral2/memory/2192-108-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2724-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4552-120-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1028-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4872-138-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
behavioral2/memory/3216-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{97D61~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe	family_neshta
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	family_neshta
behavioral2/memory/2760-228-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2372-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4232-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4844-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2276-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1708-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2732-266-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4344-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1032-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3152-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1368-282-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2120-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1088-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4656-297-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2184-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3404-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1920-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3396-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1812-316-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2240-322-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1996-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1448-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2444-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1400-338-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	family_phorphiex
C:\Windows\winrecsv.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winrecsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winrecsv.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0F63FB~1.EXE

Executes dropped EXE 64 IoCs

Processes:

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exesvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com

pid	process
1192	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
4600	svchost.com
4124	0F63FB~1.EXE
1972	svchost.com
3432	0F63FB~1.EXE
3192	svchost.com
1824	0F63FB~1.EXE
5004	svchost.com
768	0F63FB~1.EXE
3868	svchost.com
4928	0F63FB~1.EXE
1352	svchost.com
2136	0F63FB~1.EXE
2192	svchost.com
2724	0F63FB~1.EXE
4552	svchost.com
1028	0F63FB~1.EXE
4872	svchost.com
3216	0F63FB~1.EXE
2760	svchost.com
2372	0F63FB~1.EXE
4232	svchost.com
4844	0F63FB~1.EXE
2276	svchost.com
1708	0F63FB~1.EXE
2732	svchost.com
4344	0F63FB~1.EXE
1032	svchost.com
3152	0F63FB~1.EXE
1368	svchost.com
2120	0F63FB~1.EXE
1088	svchost.com
4656	0F63FB~1.EXE
2184	svchost.com
3404	0F63FB~1.EXE
1920	svchost.com
2576	0F63FB~1.EXE
3396	svchost.com
1812	0F63FB~1.EXE
2240	svchost.com
1996	0F63FB~1.EXE
1448	svchost.com
2444	0F63FB~1.EXE
1400	svchost.com
1156	0F63FB~1.EXE
4064	svchost.com
4440	0F63FB~1.EXE
4984	svchost.com
2200	0F63FB~1.EXE
3540	svchost.com
4580	0F63FB~1.EXE
2492	svchost.com
4236	0F63FB~1.EXE
3456	svchost.com
2056	0F63FB~1.EXE
2324	svchost.com
4616	0F63FB~1.EXE
4308	svchost.com
4812	0F63FB~1.EXE
388	svchost.com
1236	0F63FB~1.EXE
4600	svchost.com
2364	0F63FB~1.EXE
1972	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winrecsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winrecsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winrecsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0F63FB~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe"	0F63FB~1.EXE

Drops file in Program Files directory 64 IoCs

Processes:

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXE0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXEsvchost.comsvchost.comsvchost.com0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXEsvchost.com0F63FB~1.EXE0F63FB~1.EXEsvchost.comsvchost.comsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXE0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.comsvchost.comsvchost.com0F63FB~1.EXEsvchost.comsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXE0F63FB~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0F63FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE
File opened for modification	C:\Windows\svchost.com	0F63FB~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE0F63FB~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0F63FB~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exesvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXEsvchost.com0F63FB~1.EXE

description	pid	process	target process
PID 4788 wrote to memory of 1192	4788	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
PID 4788 wrote to memory of 1192	4788	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
PID 4788 wrote to memory of 1192	4788	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
PID 1192 wrote to memory of 4600	1192	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	svchost.com
PID 1192 wrote to memory of 4600	1192	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	svchost.com
PID 1192 wrote to memory of 4600	1192	0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe	svchost.com
PID 4600 wrote to memory of 4124	4600	svchost.com	0F63FB~1.EXE
PID 4600 wrote to memory of 4124	4600	svchost.com	0F63FB~1.EXE
PID 4600 wrote to memory of 4124	4600	svchost.com	0F63FB~1.EXE
PID 4124 wrote to memory of 1972	4124	0F63FB~1.EXE	svchost.com
PID 4124 wrote to memory of 1972	4124	0F63FB~1.EXE	svchost.com
PID 4124 wrote to memory of 1972	4124	0F63FB~1.EXE	svchost.com
PID 1972 wrote to memory of 3432	1972	svchost.com	0F63FB~1.EXE
PID 1972 wrote to memory of 3432	1972	svchost.com	0F63FB~1.EXE
PID 1972 wrote to memory of 3432	1972	svchost.com	0F63FB~1.EXE
PID 3432 wrote to memory of 3192	3432	0F63FB~1.EXE	svchost.com
PID 3432 wrote to memory of 3192	3432	0F63FB~1.EXE	svchost.com
PID 3432 wrote to memory of 3192	3432	0F63FB~1.EXE	svchost.com
PID 3192 wrote to memory of 1824	3192	svchost.com	0F63FB~1.EXE
PID 3192 wrote to memory of 1824	3192	svchost.com	0F63FB~1.EXE
PID 3192 wrote to memory of 1824	3192	svchost.com	0F63FB~1.EXE
PID 1824 wrote to memory of 5004	1824	0F63FB~1.EXE	svchost.com
PID 1824 wrote to memory of 5004	1824	0F63FB~1.EXE	svchost.com
PID 1824 wrote to memory of 5004	1824	0F63FB~1.EXE	svchost.com
PID 5004 wrote to memory of 768	5004	svchost.com	0F63FB~1.EXE
PID 5004 wrote to memory of 768	5004	svchost.com	0F63FB~1.EXE
PID 5004 wrote to memory of 768	5004	svchost.com	0F63FB~1.EXE
PID 768 wrote to memory of 3868	768	0F63FB~1.EXE	svchost.com
PID 768 wrote to memory of 3868	768	0F63FB~1.EXE	svchost.com
PID 768 wrote to memory of 3868	768	0F63FB~1.EXE	svchost.com
PID 3868 wrote to memory of 4928	3868	svchost.com	0F63FB~1.EXE
PID 3868 wrote to memory of 4928	3868	svchost.com	0F63FB~1.EXE
PID 3868 wrote to memory of 4928	3868	svchost.com	0F63FB~1.EXE
PID 4928 wrote to memory of 1352	4928	0F63FB~1.EXE	svchost.com
PID 4928 wrote to memory of 1352	4928	0F63FB~1.EXE	svchost.com
PID 4928 wrote to memory of 1352	4928	0F63FB~1.EXE	svchost.com
PID 1352 wrote to memory of 2136	1352	svchost.com	0F63FB~1.EXE
PID 1352 wrote to memory of 2136	1352	svchost.com	0F63FB~1.EXE
PID 1352 wrote to memory of 2136	1352	svchost.com	0F63FB~1.EXE
PID 2136 wrote to memory of 2192	2136	0F63FB~1.EXE	svchost.com
PID 2136 wrote to memory of 2192	2136	0F63FB~1.EXE	svchost.com
PID 2136 wrote to memory of 2192	2136	0F63FB~1.EXE	svchost.com
PID 2192 wrote to memory of 2724	2192	svchost.com	svchost.com
PID 2192 wrote to memory of 2724	2192	svchost.com	svchost.com
PID 2192 wrote to memory of 2724	2192	svchost.com	svchost.com
PID 2724 wrote to memory of 4552	2724	0F63FB~1.EXE	svchost.com
PID 2724 wrote to memory of 4552	2724	0F63FB~1.EXE	svchost.com
PID 2724 wrote to memory of 4552	2724	0F63FB~1.EXE	svchost.com
PID 4552 wrote to memory of 1028	4552	svchost.com	0F63FB~1.EXE
PID 4552 wrote to memory of 1028	4552	svchost.com	0F63FB~1.EXE
PID 4552 wrote to memory of 1028	4552	svchost.com	0F63FB~1.EXE
PID 1028 wrote to memory of 4872	1028	0F63FB~1.EXE	svchost.com
PID 1028 wrote to memory of 4872	1028	0F63FB~1.EXE	svchost.com
PID 1028 wrote to memory of 4872	1028	0F63FB~1.EXE	svchost.com
PID 4872 wrote to memory of 3216	4872	svchost.com	0F63FB~1.EXE
PID 4872 wrote to memory of 3216	4872	svchost.com	0F63FB~1.EXE
PID 4872 wrote to memory of 3216	4872	svchost.com	0F63FB~1.EXE
PID 3216 wrote to memory of 2760	3216	0F63FB~1.EXE	svchost.com
PID 3216 wrote to memory of 2760	3216	0F63FB~1.EXE	svchost.com
PID 3216 wrote to memory of 2760	3216	0F63FB~1.EXE	svchost.com
PID 2760 wrote to memory of 2372	2760	svchost.com	0F63FB~1.EXE
PID 2760 wrote to memory of 2372	2760	svchost.com	0F63FB~1.EXE
PID 2760 wrote to memory of 2372	2760	svchost.com	0F63FB~1.EXE
PID 2372 wrote to memory of 4232	2372	0F63FB~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\3582-490\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
23⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
24⤵
- Checks computer location settings
- Executes dropped EXE
PID:4844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
25⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
27⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
29⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
30⤵
- Executes dropped EXE
PID:3152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
31⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
32⤵
- Executes dropped EXE
- Modifies registry class
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
33⤵
- Executes dropped EXE
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
34⤵
- Executes dropped EXE
PID:4656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
35⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
37⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
38⤵
- Checks computer location settings
- Executes dropped EXE
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
39⤵
- Executes dropped EXE
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
40⤵
- Executes dropped EXE
- Modifies registry class
PID:1812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
41⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
43⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1448

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
45⤵
- Executes dropped EXE
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
46⤵
- Executes dropped EXE
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4064

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
48⤵
- Checks computer location settings
- Executes dropped EXE
PID:4440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
49⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
50⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
51⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
52⤵
- Checks computer location settings
- Executes dropped EXE
PID:4580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
53⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
55⤵
- Executes dropped EXE
PID:3456

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
56⤵
- Executes dropped EXE
- Modifies registry class
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
57⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
58⤵
- Executes dropped EXE
PID:4616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
59⤵
- Executes dropped EXE
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
60⤵
- Executes dropped EXE
PID:4812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
61⤵
- Executes dropped EXE
PID:388

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
62⤵
- Checks computer location settings
- Executes dropped EXE
PID:1236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4600

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
64⤵
- Executes dropped EXE
PID:2364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
66⤵
PID:4672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
67⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
68⤵
- Drops file in Windows directory
- Modifies registry class
PID:1796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
69⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
70⤵
PID:1420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
71⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
72⤵
- Modifies registry class
PID:1616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
73⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
74⤵
- Modifies registry class
PID:3404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
75⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
76⤵
- Checks computer location settings
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
77⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
78⤵
PID:3000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
79⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
80⤵
PID:4496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
81⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
82⤵
- Modifies registry class
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
83⤵
- Drops file in Windows directory
PID:2268

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
84⤵
PID:5096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
85⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
86⤵
- Checks computer location settings
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
87⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
88⤵
- Checks computer location settings
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
89⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
90⤵
PID:2492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
91⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
92⤵
- Modifies registry class
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
93⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
94⤵
- Drops file in Windows directory
- Modifies registry class
PID:2324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
95⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
96⤵
- Modifies registry class
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
97⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
98⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
99⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
100⤵
- Checks computer location settings
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
101⤵
- Drops file in Windows directory
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
102⤵
- Modifies registry class
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
103⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
104⤵
- Modifies registry class
PID:1124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
105⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
106⤵
- Checks computer location settings
- Modifies registry class
PID:3192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
107⤵
- Drops file in Windows directory
PID:4992

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
108⤵
PID:1796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
109⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
110⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
111⤵
- Drops file in Windows directory
PID:3992

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
112⤵
- Checks computer location settings
PID:2184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
113⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
114⤵
- Modifies registry class
PID:4188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
115⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
116⤵
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
117⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
118⤵
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
119⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
120⤵
PID:688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
121⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
122⤵
PID:3000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
123⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
124⤵
PID:5056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
125⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
126⤵
PID:3876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
127⤵
- Drops file in Windows directory
PID:3084

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
128⤵
- Checks computer location settings
PID:8

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
129⤵
- Drops file in Windows directory
PID:1512

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
130⤵
- Checks computer location settings
PID:4696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
131⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
132⤵
- Modifies registry class
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
133⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
134⤵
PID:3592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
135⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
136⤵
- Modifies registry class
PID:3948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
137⤵
- Drops file in Windows directory
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
138⤵
PID:2492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
139⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
140⤵
- Checks computer location settings
PID:2760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
141⤵
- Drops file in Windows directory
PID:1556

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
142⤵
- Drops file in Windows directory
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
143⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
144⤵
- Drops file in Windows directory
- Modifies registry class
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
145⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
146⤵
- Modifies registry class
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
147⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
148⤵
- Modifies registry class
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
149⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
150⤵
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
151⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
152⤵
PID:4192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
153⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
154⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
155⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
156⤵
- Modifies registry class
PID:3372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
157⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
158⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
159⤵
- Drops file in Windows directory
PID:1824

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
160⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
161⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
162⤵
- Modifies registry class
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
163⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
164⤵
PID:2260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
165⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
166⤵
- Drops file in Windows directory
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
167⤵
- Drops file in Windows directory
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
168⤵
- Checks computer location settings
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
169⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
170⤵
- Checks computer location settings
PID:2312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
171⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
172⤵
- Checks computer location settings
- Modifies registry class
PID:3972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
173⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
174⤵
PID:3096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
175⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
176⤵
PID:4616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
177⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
178⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
179⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
180⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
181⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
182⤵
- Modifies registry class
PID:2148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
183⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
184⤵
- Drops file in Windows directory
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
185⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
186⤵
- Modifies registry class
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
187⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
188⤵
- Checks computer location settings
PID:4928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
189⤵
- Drops file in Windows directory
PID:1916

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
190⤵
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
191⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
192⤵
- Checks computer location settings
PID:744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
193⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
194⤵
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
195⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
196⤵
- Checks computer location settings
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
197⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
198⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
199⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
200⤵
PID:4820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
201⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
202⤵
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
203⤵
- Drops file in Windows directory
PID:5072

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
204⤵
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
205⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
206⤵
- Drops file in Windows directory
- Modifies registry class
PID:440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
207⤵
- Drops file in Windows directory
PID:2684

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
208⤵
PID:2760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
209⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
210⤵
- Modifies registry class
PID:2396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
211⤵
- Drops file in Windows directory
PID:5024

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
212⤵
- Modifies registry class
PID:2848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
213⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
214⤵
PID:4304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
215⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
216⤵
PID:1124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
217⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
218⤵
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
219⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
220⤵
- Modifies registry class
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
221⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
222⤵
- Checks computer location settings
PID:4072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
223⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
224⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
225⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
226⤵
- Checks computer location settings
PID:4668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
227⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
228⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
229⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
230⤵
PID:2724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
231⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
232⤵
PID:5056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
233⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
234⤵
- Checks computer location settings
PID:3084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
235⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
236⤵
PID:1924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
237⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
238⤵
- Checks computer location settings
- Modifies registry class
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
239⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
240⤵
- Drops file in Windows directory
PID:4584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
241⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
242⤵
- Checks computer location settings
PID:2456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
243⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
244⤵
- Checks computer location settings
- Modifies registry class
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
245⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
246⤵
- Modifies registry class
PID:3264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
247⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
248⤵
- Checks computer location settings
PID:2876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
249⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
250⤵
PID:2604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
251⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
252⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
253⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
254⤵
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
255⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
256⤵
- Drops file in Windows directory
- Modifies registry class
PID:4480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
257⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
258⤵
- Modifies registry class
PID:3104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
259⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
260⤵
- Checks computer location settings
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
261⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
262⤵
PID:4452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
263⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
264⤵
- Checks computer location settings
PID:368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
265⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
266⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
267⤵
- Drops file in Windows directory
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
268⤵
- Modifies registry class
PID:4896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
269⤵
- Drops file in Windows directory
PID:1540

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
270⤵
- Drops file in Windows directory
PID:3664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
271⤵
- Drops file in Windows directory
PID:4696

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
272⤵
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
273⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
274⤵
PID:1928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
275⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
276⤵
PID:4704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
277⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
278⤵
- Checks computer location settings
PID:3516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
279⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
280⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
281⤵
- Drops file in Windows directory
PID:2620

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
282⤵
- Modifies registry class
PID:4660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
283⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
284⤵
- Checks computer location settings
- Modifies registry class
PID:4836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
285⤵
- Drops file in Windows directory
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
286⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
287⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
288⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
289⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
290⤵
- Modifies registry class
PID:3720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
291⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
292⤵
- Checks computer location settings
- Modifies registry class
PID:2616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
293⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
294⤵
- Checks computer location settings
- Modifies registry class
PID:3928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
295⤵
- Drops file in Windows directory
PID:2412

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
296⤵
PID:2800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
297⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
298⤵
- Modifies registry class
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
299⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
300⤵
- Checks computer location settings
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
301⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
302⤵
- Drops file in Windows directory
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
303⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
304⤵
- Modifies registry class
PID:3712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
305⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
306⤵
- Checks computer location settings
PID:2792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
307⤵
- Drops file in Windows directory
PID:4060

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
308⤵
- Checks computer location settings
- Modifies registry class
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
309⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
310⤵
PID:1668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
311⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
312⤵
- Checks computer location settings
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
313⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
314⤵
PID:2592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
315⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
316⤵
PID:2180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
317⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
318⤵
PID:1148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
319⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
320⤵
PID:884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
321⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
322⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
323⤵
- Drops file in Windows directory
PID:4712

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
324⤵
- Checks computer location settings
PID:1076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
325⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
326⤵
PID:3908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
327⤵
- Drops file in Windows directory
PID:3704

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
328⤵
PID:3276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
329⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
330⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
331⤵
- Drops file in Windows directory
PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
332⤵
PID:4568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
333⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
334⤵
- Checks computer location settings
- Modifies registry class
PID:3100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
335⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
336⤵
- Drops file in Windows directory
- Modifies registry class
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
337⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
338⤵
- Checks computer location settings
- Modifies registry class
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
339⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
340⤵
PID:4488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
341⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
342⤵
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
343⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
344⤵
- Checks computer location settings
PID:3256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
345⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
346⤵
PID:228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
347⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
348⤵
- Modifies registry class
PID:2684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
349⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
350⤵
PID:3560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
351⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
352⤵
- Drops file in Windows directory
- Modifies registry class
PID:4660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
353⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
354⤵
PID:4356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
355⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
356⤵
PID:4616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
357⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
358⤵
PID:3912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
359⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
360⤵
PID:1420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
361⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
362⤵
- Checks computer location settings
- Modifies registry class
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
363⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
364⤵
- Checks computer location settings
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
365⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
366⤵
- Drops file in Windows directory
- Modifies registry class
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
367⤵
- Drops file in Windows directory
PID:712

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
368⤵
- Modifies registry class
PID:3348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
369⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
370⤵
- Checks computer location settings
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
371⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
372⤵
- Checks computer location settings
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
373⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
374⤵
PID:4644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
375⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
376⤵
- Modifies registry class
PID:3224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
377⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
378⤵
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
379⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
380⤵
- Checks computer location settings
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
381⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
382⤵
- Checks computer location settings
PID:440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
383⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
384⤵
- Modifies registry class
PID:4456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
385⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
386⤵
- Modifies registry class
PID:4868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
387⤵
- Drops file in Windows directory
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
388⤵
PID:2436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
389⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
390⤵
- Checks computer location settings
- Modifies registry class
PID:3052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
391⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
392⤵
- Drops file in Windows directory
PID:2072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
393⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
394⤵
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
395⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
396⤵
- Modifies registry class
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
397⤵
- Drops file in Windows directory
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
398⤵
- Checks computer location settings
PID:4068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
399⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
400⤵
- Modifies registry class
PID:3000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
401⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
402⤵
- Modifies registry class
PID:2260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
403⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
404⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
405⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
406⤵
PID:4144

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
407⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
408⤵
- Checks computer location settings
PID:3756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE"
409⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\0F63FB~1.EXE
410⤵
- Adds Run key to start application
PID:4280

C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
411⤵
- Windows security bypass
- Windows security modification
PID:224

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4cd288d257e67f3e813f4a2f445701f7 v/1FWuGM4kuXyU4+iImg7A.0.1.0.0.0
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1276

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
Filesize
325KB

MD5
0511abca39ed6d36fff86a8b6f2266cd

SHA1
bfe55ac898d7a570ec535328b6283a1cdfa33b00

SHA256
76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8

SHA512
6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe
Filesize
546KB

MD5
562f70bad7b9f81532fac8427352fd19

SHA1
9451db328d2424434f54b250b538bcb00debb43d

SHA256
068ed96237cbfe790f64cc5854623f40510d88cad9adb2a98170edbc3d23f82c

SHA512
43b51d909a680e9372af1beee8af84a7565c0cdbfc35886e653704b718270c4629d40f1ea49e4155114a8094169b00fb0b65ab91da4408cb50b71da5c05b2233

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{97D61~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe
Filesize
1.6MB

MD5
2e85cce02e3d5c3b7cfaf8132c48231b

SHA1
63808bb141407940f89656aae5dc57e99a14f02b

SHA256
b8029e8dc424363ad70a5c929188467aba670b6e6939622dde34f96edd9fde20

SHA512
58674354719276e536b8997816929a7f2aeff9ebd8a6c19e924391f01bf2fe6ac662ad779b33e3747d323e9ad42da2234186c7328701fc48913e4f0af4f445e1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
Filesize
1.1MB

MD5
6088771ce98d1dd4c4f3b70291c7ef39

SHA1
09f041bf16a84d2214a75672d2eb7e982b68f0c2

SHA256
9300eae88b3af629d2041145c0b9692ae7d8ac0ba1d4fa626084c02ec9adb1cc

SHA512
e1470ae4ad68f95655ba55c0ae578c46f030e2e627eff44f42934119ddff6ce2f58afbd4b7fc9a94086d954f1a053ae3b520758e1a536c0e823da7882a9dba14

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE
Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE
Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE
Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0f63fbdacbf4c7c588befd9fbda6a8ee896995067929fbc2c374b259e4503c4c_NeikiAnalytics.exe
Filesize
116KB

MD5
de03fc91bd1e2feb7bffd15a0c7b4c0c

SHA1
2d56e523bc1d7dd12a07c52422c25852f8fae7a0

SHA256
e753a710f03ebce7ca0df822cdef21e5fdd35f0224336bbb0406106ce3f0f169

SHA512
f27e7707be5f479343b1f73a91d5c5845766c426705fdd401202abbeaf175afa8580281e7ba6ade572b31e029afca76d543544500f1395152925da71a24d4fe1

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
d7c2138501fcc8dd376075abd772b4f5

SHA1
cc656d50eba4657bf20a7532032715c59b51cd23

SHA256
25529b39fc9de0c44d5a4619146b2f33d6db9c2a9243b264e9dacc42c63d5a24

SHA512
5d47b51b782bffa573fb90ed152930ba12d54596ed4132917ce59c061b763eb80224ed4e0ea1bfdb5b8c8bfc91527939a4906a1ba706b67596d6b091927e6dcb

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\winrecsv.exe
Filesize
75KB

MD5
ed2d7b25bb360cccb4f0f6a4f8732d7a

SHA1
6ffcc083956c5ac19826bdd87e12f87817ee837c

SHA256
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

SHA512
6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

Download Submit
memory/388-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/768-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1028-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1088-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1236-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1400-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1920-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2444-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2492-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2724-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3216-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3404-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3456-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3540-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3868-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4064-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4124-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4232-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4236-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4308-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4344-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4440-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4552-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4600-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4600-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4616-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4656-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4672-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4812-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4928-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5004-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download