Malware Analysis Report

2024-11-16 12:14

Sample ID 240715-wf1kbasckr
Target 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
SHA256 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e

Threat Level: Known bad

The file 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 17:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 17:52

Reported

2024-07-15 17:55

Platform

win7-20240708-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

Signatures

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 1124 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2796 set thread context of 308 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 1948 set thread context of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 568 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2748 set thread context of 2316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 3068 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 832 set thread context of 2380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2072 set thread context of 2228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2016 wrote to memory of 2832 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2016 wrote to memory of 2832 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2016 wrote to memory of 2832 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2016 wrote to memory of 2832 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2208 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2208 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 1680 wrote to memory of 464 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1680 wrote to memory of 464 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1680 wrote to memory of 464 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1680 wrote to memory of 464 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1084 wrote to memory of 1348 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1348 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1348 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1348 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2404 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2404 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2404 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2404 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2196 wrote to memory of 1124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2196 wrote to memory of 1124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2196 wrote to memory of 1124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2196 wrote to memory of 1124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 1124 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1124 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1712 wrote to memory of 1984 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1712 wrote to memory of 1984 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1712 wrote to memory of 1984 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1712 wrote to memory of 1984 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94C1.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp94C1.tmp

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD366.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpD366.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC793.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpC793.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A2.tmp"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp4A2.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

MD5 fd151dbc522da341d7c5540e6a90d624
SHA1 4fe3c3f08021ce65120246b0428ad5fafe001d6e
SHA256 bc984064d01424dfd6a7c530a1927fe5e3fd3c659988ccd503c3fbfd99462a3f
SHA512 3c3356f1f59235cdcb720939aad4b87939778695d9b9cf2ed1d0d31844a50844bf984a9d1b3f7c15af25286e55f0102f1826b19315eb79a65423942e8431eaed

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 754309b7b83050a50768236ee966224f
SHA1 10ed7efc2e594417ddeb00a42deb8fd9f804ed53
SHA256 acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6
SHA512 e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

memory/2208-13-0x000000007476E000-0x000000007476F000-memory.dmp

memory/2208-14-0x0000000000BB0000-0x0000000000C78000-memory.dmp

memory/2208-15-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2208-16-0x0000000000500000-0x0000000000512000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2232-89-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2208-90-0x00000000009D0000-0x00000000009D8000-memory.dmp

memory/2208-91-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/2208-92-0x0000000004E70000-0x0000000004EFE000-memory.dmp

memory/2232-94-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\svchost.com

MD5 2f50aca08ffc461c86e8fb5bbedda142
SHA1 6fc5319d084c6e13f950c24c78a9cadb7793c638
SHA256 d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e
SHA512 785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 afd34ccf63dc65d54482c5f1ad671edb
SHA1 78f61bc84f44d44dbc8257585cc58f5c6103b4e2
SHA256 afd3d44063fd1ba34ef1f0bcfde471a9fa553df60f041357f5a5e183b7033984
SHA512 c61b0112665853cbde2b184148f78027b241d35777dd31c0d97b10bc00027904c849dcab53cefed416331bfb7b12475b4284e06f15496440d0d1cbeee0b040ea

memory/2016-106-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1680-118-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 20dd9868b9ae8ac65bab31b5650890b0
SHA1 6aa5309826f48d575489ed546bfd17c80a3aa02d
SHA256 7fbb99a259c044e8bbf6b4662eb79703b3fce7f12bc7f0f069469a7778bcc347
SHA512 ed2b0ef383851a5cff3796c63b189745d35b4763016fe8aa229bacfdd89e15525056503a4db339aa3437d88b8d8608ba1755ca563686eb56deacb16375df7480

memory/1084-127-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 eeeb45e7168435a05021519dece54ce3
SHA1 df05ed8dc583d17b54cf270dbbbbe36937769941
SHA256 b6063fa83cf0d842cf1a0fa2f30dd20d638b4b380cf351534b82cef9e14be9ac
SHA512 538218614b1f8b3f6b6244857b8271687b7e9036f1ab1bd489fff92782674522c43bc312989d4ac3e58f5d335cdda8c0d898a4bb9630d1c5a467e38f332fb501

memory/2404-130-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-147-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-145-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Windows\directx.sys

MD5 98169b13e77ed35ec975e17ae26f995b
SHA1 193a590cba9fd83594d1e4a4a80a4ecfbdacdc54
SHA256 005f4da6703fe3f3798300a7409f16caf9f2441655934a09911a103eda337b5d
SHA512 c070b0298bced5c0b6fd09d84b4f0632a877591a6b9861fd1994e300b0e89d111d1d3b7635c5fadb54cba472031c48a7cc74295956556bac8e827dd10dacd352

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M2RNGAS9TQBKA6SC4YXL.temp

MD5 cc65cf878470d98b9fee9e6287d907db
SHA1 490e798e4c605cc24453d1b5f8514bc90036ad9f
SHA256 91afa3a6b7d6f77675e4545cacb6dcd3582e96004855865f33a3f5e8e77b26b2
SHA512 4af22e47fd31eeea408851dd399594848a275b6e6bd8fcbf0961a0f698757f8dc1fbd2b80c037b51c756b96681c3aa106ddd101e30f9c54da7415b5843c94a8a

memory/2208-167-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2404-142-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-140-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-138-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-136-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-134-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2196-168-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1124-169-0x00000000005F0000-0x0000000000602000-memory.dmp

memory/1712-180-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 6d266683583eca026ff9fb1a51197ef0
SHA1 886c44a42fd282b68b5d215160944cce9c7c103b
SHA256 2c5a581e96fdcb1d83253386b75a7821fdd861b5bd15604bab09fb5de93d7ed8
SHA512 0d5910c58270331672d60826adc91e816eda62c73e4fdbaa60f13be5da7144e2da86da38c1f4ba01aa198d12a4996a29c791eccbb243e99e3076f9f94d5cff16

memory/1536-202-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2004-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2452-200-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2812-239-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2256-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3044-267-0x0000000000400000-0x000000000041B000-memory.dmp

memory/864-275-0x0000000000400000-0x000000000041B000-memory.dmp

memory/568-376-0x0000000001300000-0x00000000013C8000-memory.dmp

memory/568-378-0x00000000004E0000-0x00000000004F2000-memory.dmp

C:\Windows\directx.sys

MD5 8b15b2fb324290c1fff3c00b48fed24c
SHA1 c7c1dc32158ff1f8e47afcb51d5a2c53017bcafc
SHA256 0c96daabf9a44aff8e925538825153b2778b9ee7120fa41aecb1c465638f138e
SHA512 42afe955add4b31a7a183f2e12024ce8114566431ecf30b3cfaf44f918047cf4859609cb672529bcaa3c6e9bc6e506268b88fe08ee87bce815ede670e1210a5d

C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp

MD5 035b884d26f603d47bf2cbe67062086e
SHA1 6e9db5bac0bd61367628f2f3a79a8c03176befdf
SHA256 15fe1d3ab31cba0cc1841abbd11636fbef77e4e150928621dca8bdfa3865d86e
SHA512 42098c423a7a8ceec7d950f6a8889dfc80a21ee4e49fd8b3386d5f59a3dce82b838ba54c44e7697e272412ffcf20843595079c494fee74906d8d1c4e05b5ced2

memory/3068-482-0x0000000000190000-0x0000000000258000-memory.dmp

memory/3068-493-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/832-545-0x0000000000190000-0x0000000000258000-memory.dmp

memory/2072-606-0x0000000000AA0000-0x0000000000B68000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 17:52

Reported

2024-07-15 17:55

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

Signatures

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2992 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2992 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 3896 wrote to memory of 932 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3896 wrote to memory of 932 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3896 wrote to memory of 932 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 4620 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 532 wrote to memory of 4740 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 4740 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 4740 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 4420 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2312 wrote to memory of 4420 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2312 wrote to memory of 4420 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 4620 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
PID 2340 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2340 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2340 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe C:\Windows\svchost.com
PID 2604 wrote to memory of 4456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2604 wrote to memory of 4456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 2604 wrote to memory of 4456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 1164 wrote to memory of 3992 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 3992 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 3992 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4356 wrote to memory of 3500 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3500 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3500 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 4456 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Windows\svchost.com
PID 536 wrote to memory of 4988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 4988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 4988 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
PID 4456 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp142F.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp142F.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55AD.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp55AD.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9584.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp9584.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9764.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp9764.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe

MD5 fd151dbc522da341d7c5540e6a90d624
SHA1 4fe3c3f08021ce65120246b0428ad5fafe001d6e
SHA256 bc984064d01424dfd6a7c530a1927fe5e3fd3c659988ccd503c3fbfd99462a3f
SHA512 3c3356f1f59235cdcb720939aad4b87939778695d9b9cf2ed1d0d31844a50844bf984a9d1b3f7c15af25286e55f0102f1826b19315eb79a65423942e8431eaed

memory/4620-13-0x000000007392E000-0x000000007392F000-memory.dmp

memory/4620-14-0x0000000000DB0000-0x0000000000E78000-memory.dmp

memory/4620-15-0x0000000005CB0000-0x0000000006254000-memory.dmp

memory/4620-16-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/4620-17-0x0000000005740000-0x000000000574A000-memory.dmp

memory/4620-18-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/4620-19-0x00000000058C0000-0x00000000058D2000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 d9e8a1fa55faebd36ed2342fedefbedd
SHA1 c25cc7f0035488de9c5df0121a09b5100e1c28e9
SHA256 bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a
SHA512 134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

memory/2992-104-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4620-105-0x0000000005CA0000-0x0000000005CA8000-memory.dmp

memory/4620-106-0x0000000006A60000-0x0000000006A6E000-memory.dmp

memory/4620-107-0x0000000006AC0000-0x0000000006B4E000-memory.dmp

memory/4620-108-0x0000000006D40000-0x0000000006DDC000-memory.dmp

C:\Windows\svchost.com

MD5 2f50aca08ffc461c86e8fb5bbedda142
SHA1 6fc5319d084c6e13f950c24c78a9cadb7793c638
SHA256 d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e
SHA512 785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

C:\Windows\directx.sys

MD5 8ef46131112542d3859ed87042a58784
SHA1 1cea3455bf0c347007c5c8780f638ff5027eb687
SHA256 058e4a52feb09ce5ea1095e512ee714132c446b493080833ffb802e91f9d8aef
SHA512 180f5708d9b039ba391ce77b51972a1296567f910bf545f11341c7d8947642fb675dc0cd2b73f7fff3c745586924ffb1078fbd8c3c9445a708d25c238cc15019

C:\Windows\directx.sys

MD5 eeeb45e7168435a05021519dece54ce3
SHA1 df05ed8dc583d17b54cf270dbbbbe36937769941
SHA256 b6063fa83cf0d842cf1a0fa2f30dd20d638b4b380cf351534b82cef9e14be9ac
SHA512 538218614b1f8b3f6b6244857b8271687b7e9036f1ab1bd489fff92782674522c43bc312989d4ac3e58f5d335cdda8c0d898a4bb9630d1c5a467e38f332fb501

C:\Windows\directx.sys

MD5 ba4a5d73acd49e6fcb828a8d2880f3bf
SHA1 2af8435b75c30bfb0f21fd685052c68b06dd3766
SHA256 dc37bc79f2ebc911a09a8b8d61b4173202eca7851006e79f7996fd74032db497
SHA512 913397519ffe7414dc9d4730882956b31ef93a0518adf6e5e78b128420ffad7e5482ab7cc214197da2ac3e6fa34a1977e60d45a13610b4b2b4cc4824b6edcf23

memory/532-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-139-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2340-143-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2340-141-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4620-145-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/932-148-0x0000000004F30000-0x0000000004F66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 51793c9e2af72fd3d06520de563add54
SHA1 b77ab89608e6fd6150109038b15beae489d325c8
SHA256 adff78f09abaad328ed44bfecf59ff3ccd50e815b19d0c65566418602296a98c
SHA512 77363c70ed5002acc3e17ce965b0dfdff6dfb4eed1255964b575d3b7b2fc5847cb0bd449b6852d687f6ecf07bd77b9d4c923b5c9312051897d602f256780f955

memory/932-152-0x00000000055A0000-0x0000000005BC8000-memory.dmp

C:\Windows\directx.sys

MD5 98169b13e77ed35ec975e17ae26f995b
SHA1 193a590cba9fd83594d1e4a4a80a4ecfbdacdc54
SHA256 005f4da6703fe3f3798300a7409f16caf9f2441655934a09911a103eda337b5d
SHA512 c070b0298bced5c0b6fd09d84b4f0632a877591a6b9861fd1994e300b0e89d111d1d3b7635c5fadb54cba472031c48a7cc74295956556bac8e827dd10dacd352

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 114445130d5e083c42830d9adbf5d748
SHA1 48a62ec52b835918cc19a2df9c624a7a0d6b85e1
SHA256 a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e
SHA512 45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 3e8712e3f8ce04d61b1c23d9494e1154
SHA1 7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4
SHA256 7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9
SHA512 d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 823cb3e3a3de255bdb0d1f362f6f48ab
SHA1 9027969c2f7b427527b23cb7ab1a0abc1898b262
SHA256 b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f
SHA512 0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 6b27dd3f7c6898e7d1bcff73d6e29858
SHA1 55102c244643d43aeaf625145c6475e78dfbe9de
SHA256 53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3
SHA512 52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE

MD5 eee817016431278bd858e5c321767f7b
SHA1 6dd600c4fb9d3e24d1cebc6956ce8102f9d58e74
SHA256 a7eb193768af5d871ce180824e956dc327ba61b0b6db57f2bf3e615c910720ba
SHA512 480f8868b1c18640206892cd6b56b89db812d55cbaeab956f592f1918ab8cc944aead1ccc7c153dda94580415be90b0f463fe803a97eeb4fc3760e99d7e57c15

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE

MD5 c60eb8f7c3df316b12ae7e04189cc9be
SHA1 4250de4d4ea8b5d7c651f442ed589fcafdf3c78f
SHA256 c0e53970d4fc3ea6ca016cfc23a9693f5184053270c59a61240df71811775372
SHA512 a51259a047ca5dc01567235ffd61ef73c1de530a2645bbf45a083f0d8f2c18d081928be9f4074dbdeccbac58997779ec75cd5973c0c87b704f07522240ef97f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 71cf18e3e6acb58de320bc6b08e4b10b
SHA1 85bb8175d75e9e16a4cc0cf7bf0f8f1d5c12fdd2
SHA256 250f39ed8a6046fa16df35ed2b700eeba5fc99baf5ec84b1e52d59eea3e49190
SHA512 f9d2661797f7cee9179da492d3f50f453e2d38005eb35ecec7bf6d79f9e2d90e27b172017665ecb17e5194ff4203ce98d0ac1e2a581d2e11bb886aa82e9233d3

memory/2604-214-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE

MD5 371fe80bdde71019c270f38d4c36639b
SHA1 e818b457524b2a95d294adacce0d543bdc7b80c6
SHA256 a06bd428a4f8e14c959e055483860519a21b5d61c7c3d0d3a363eade34a29951
SHA512 66322d6b282bc9838f11a5f0e3b9118fd0f4032265d54a5a2c39462cb515c757cadb7f9524d4b6f3ef46c070c5754cccfedb474208513beffef8909bbe3445ae

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jtmndts.n2j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/932-227-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/932-226-0x0000000005DD0000-0x0000000005E36000-memory.dmp

memory/932-228-0x0000000005EC0000-0x0000000006214000-memory.dmp

memory/932-225-0x0000000005D30000-0x0000000005D52000-memory.dmp

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE

MD5 d870e8d0f543c4443f6d0030c21534c9
SHA1 567aafcc65a8e573ec1bb569de001340162c90a4
SHA256 79303b97cb84d63a92d5ee1480df9e797f6905ef2d1981bb3a4f0ab68ee84172
SHA512 7a4fa35dea6c4509f5da5ac76ce0f7f6420eec553e09dbe374afc7beda05fa5ed99a4d21ae4fa64cf2ce27c1d496e6fa2b7b063b351323bda752847b986ca327

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE

MD5 7c529d5c3fd4f9a4dba4365fd16c0c0b
SHA1 cb8813ffdf693b50e48a476b1e4361db08882131
SHA256 8aa5c3030e310e9fbfe38dbee646ea0d023f656df6fddde8fab8726d1ef5b2e9
SHA512 d23b2a3b60af573611659494caf3989f0b902eec601979e5e594b4c4f7f6b00764cc2a00d7dfc86a8f4a09657350cfca6192a8da23c445e9fbe4ed85520c4abc

memory/4456-238-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 ecda5b4161dbf34af2cd3bd4b4ca92a6
SHA1 a76347d21e3bfc8d9a528097318e4b037d7b1351
SHA256 98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f
SHA512 3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a31628879099ba1efd1b63e81771f6c7
SHA1 42d9de49d0465c907be8ee1ef1ccf3926b8825fe
SHA256 031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc
SHA512 0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 6b7a2ce420e8dd7484ca4fa4460894ae
SHA1 df07e4a085fc29168ae9ec4781b88002077f7594
SHA256 dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4
SHA512 7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 b8bffe8467716db4da9d94061dc33d07
SHA1 db4bac1757b1b60b26e2fef0fc88ce708efad352
SHA256 b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2
SHA512 5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 af9aba6ab24cba804abba88d1626b2b9
SHA1 6a387c9ec2c06178476f8439a5a3d9149c480a9a
SHA256 e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90
SHA512 9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 032ee4d65b62d87cf809438556d30429
SHA1 34458fcefe3c67f19c3d2c94389fc99e54e74801
SHA256 0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b
SHA512 6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 69e1e0de795a8bf8c4884cb98203b1f4
SHA1 a17f2ba68776596e2d1593781289c7007a805675
SHA256 2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb
SHA512 353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 24eeb998cb16869438b95642d49ac3dd
SHA1 b45aa87f45250aa3482c29b24fa4aa3d57ae4c71
SHA256 a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0
SHA512 2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 ae390fa093b459a84c27b6c266888a7e
SHA1 ad88709a7f286fc7d65559e9aee3812be6baf4b2
SHA256 738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd
SHA512 096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 b84ae39dd0420080bd9e6b9557eea65b
SHA1 5326a058a3bcc4eb0530028e17d391e356210603
SHA256 92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924
SHA512 860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 fdad5d6d8cf37e8c446dcd6c56c718c3
SHA1 412883fd3bb56f2b850d2c29ee666d9b75636faf
SHA256 2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c
SHA512 9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 2424d589d7997df1356c160a9a82088c
SHA1 ca9b479043636434f32c74c2299210ef9f933b98
SHA256 9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60
SHA512 4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

MD5 001760b2a66fb4fff1e2c42bc39e5421
SHA1 1980cafc246e5a31b6e78bcd5eec1726c9789046
SHA256 1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a
SHA512 a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

MD5 78f77aff4993684fdbcad13c74d5f364
SHA1 0b02ed9112021b3c65778fdce0642e81dfb5b628
SHA256 9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb
SHA512 568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

MD5 a12297c17e3747647d5c29d67edd4d9a
SHA1 6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d
SHA256 288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2
SHA512 e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

MD5 6ecccb4bab82a4971897aa0bcb2f14be
SHA1 1c680d6f8ca6a0436b5935906a2d9c4699a7a412
SHA256 c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1
SHA512 d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

MD5 b6283a7eb554d995d9a7c72dcfca14b5
SHA1 67d64907800c611bbcefd31d2494da12962f5022
SHA256 099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881
SHA512 a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

MD5 48628eeb152032e8dc9af97aaaeba7cf
SHA1 e826f32c423627ef625a6618e7250f7dbc4d2501
SHA256 f271af83d96b1d536e1a1788ec0baa0c3c583ddfe61faceccaeec1470c5676ca
SHA512 18a2a247177d04d5b1b56d126d72e29b02c8378e8aa4c89bdbaefe14bcd577d7aa054b05a5db37d142a37cf869f3bc03fe9a5bba4886a52d6c2ede5052dfcc7d

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 7aac73055860fcd079d9407cab08276d
SHA1 482b9f337d60270c95950353f9ca8929d8926b1d
SHA256 97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5
SHA512 f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 de9e6086062f01926b48c2d80508d12b
SHA1 13610cca5e38925e22b6a79067df0dd9eca49fe3
SHA256 d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4
SHA512 60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 62976c65ded41b4f31c7f379c548e05c
SHA1 3827c414ad15cd67ea8635400002c4c79704250e
SHA256 80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66
SHA512 ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 e115eb174536d5fbcf5164232c89c25d
SHA1 5879354de61734962d39d13316d1fe028389cc16
SHA256 57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653
SHA512 69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 dc6f9d4b474492fd2c6bb0d6219b9877
SHA1 85f5550b7e51ecbf361aaba35b26d62ed4a3f907
SHA256 686bec325444e43232fb20e96365bb1f1eb7c47a4e4ce246fc900d3a9784d436
SHA512 1e9c2dfeada91e69ee91cd398145e4044bd5788a628b89441c8c6ff4067ba0a399124197fd31dad26ccb76a4d866ad99918ba8e1549983be967d31b933ad9780

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ead399a43035cf6544c96d014436fc9a
SHA1 c8ef64abb6c56cbd02e851a98214620459c8b947
SHA256 38b06ee250af6554e6740a1bb7acfb77b99ccdb8081880e01c386afa98668766
SHA512 6fa46a36c17c9496c18843e04d78d5146cdea173a74acacd9b7c63d220c49fa3a1acb65f91fe7214a1ae82ebf63fb5366beecd7f9e0aeee0cbab5d1bd0aa6d14

memory/932-239-0x0000000006380000-0x000000000639E000-memory.dmp

memory/932-240-0x00000000063C0000-0x000000000640C000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 961c73fd70b543a6a3c816649e5f8fce
SHA1 8dbdc7daeb83110638d192f65f6d014169e0a79b
SHA256 f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103
SHA512 e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 3ccfc6967bcfea597926999974eb0cf9
SHA1 6736e7886e848d41de098cd00b8279c9bc94d501
SHA256 a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9
SHA512 f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 2e989da204d9c4c3e375a32edf4d16e7
SHA1 e8a0bf8b4ae4f26e2af5c1748de6055ba4308129
SHA256 cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec
SHA512 3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 c4a918069757a263adb9fbc9f5c9e00d
SHA1 66d749fc566763b6170080a40f54f4cda4644af4
SHA256 129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b
SHA512 4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 514972e16cdda8b53012ad8a14a26e60
SHA1 aa082c2fbe0b3dd5c47952f9a285636412203559
SHA256 49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4
SHA512 98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 4ab023aa6def7b300dec4fc7ef55dbe7
SHA1 aa30491eb799fa5bdf79691f8fe5e087467463f1
SHA256 8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673
SHA512 000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 66a77a65eea771304e524dd844c9846a
SHA1 f7e3b403439b5f63927e8681a64f62caafe9a360
SHA256 9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6
SHA512 3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 3e4c1ecf89d19b8484e386008bb37a25
SHA1 a9a92b63645928e8a92dc395713d3c5b921026b7
SHA256 1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22
SHA512 473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 3da833f022988fbc093129595cc8591c
SHA1 fdde5a7fb7a60169d2967ff88c6aba8273f12e36
SHA256 1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66
SHA512 1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 ef63e5ccbea2788d900f1c70a6159c68
SHA1 4ac2e144f9dd97a0cd061b76be89f7850887c166
SHA256 a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45
SHA512 913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 124147ede15f97b47224628152110ce2
SHA1 4530fee9b1199777693073414b82420a7c88a042
SHA256 3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd
SHA512 f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

memory/2992-241-0x0000000000400000-0x000000000041B000-memory.dmp

memory/932-243-0x000000006FBC0000-0x000000006FC0C000-memory.dmp

memory/4740-254-0x000000006FBC0000-0x000000006FC0C000-memory.dmp

memory/932-255-0x0000000007580000-0x0000000007623000-memory.dmp

memory/932-253-0x0000000006920000-0x000000000693E000-memory.dmp

memory/932-242-0x0000000006940000-0x0000000006972000-memory.dmp

memory/932-266-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/932-265-0x0000000007CE0000-0x000000000835A000-memory.dmp

memory/4740-267-0x0000000007010000-0x000000000701A000-memory.dmp

memory/4740-268-0x0000000007220000-0x00000000072B6000-memory.dmp

memory/932-269-0x00000000078A0000-0x00000000078B1000-memory.dmp

memory/4740-270-0x00000000071D0000-0x00000000071DE000-memory.dmp

memory/4740-271-0x00000000071E0000-0x00000000071F4000-memory.dmp

memory/4740-272-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/4740-273-0x00000000072C0000-0x00000000072C8000-memory.dmp

memory/3896-278-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2992-277-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2992-281-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3896-280-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 c2b924a755022d340350d6489047a889
SHA1 78f843ebd696be30470b8dbcd010b7a8f3190c5e
SHA256 83a600cbf99c3693a07feb28a55ba1a17536add8bc5e667c7db93d25d5634c93
SHA512 cf038c60b70f43c8e2cc52f37cf722052f4ff0485ece39a67f3de064e41b98f16e7a8b88b9b98f7d831932799f7910eb843076897151f747ca8d45bff56ef64e

memory/1164-289-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4356-298-0x0000000000400000-0x000000000041B000-memory.dmp

memory/536-304-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 16fd86a41e417eb6edf1d305c0355af1
SHA1 c0deb377b7234eb8b3f9dedb2be32ff34c18c938
SHA256 476632e3310f81bef6203c463ae03d838b823e093d2f849765aefae10bec2f22
SHA512 338875d18b4cae6c1e92eecd84ea87e4f8fe03def0c35178e9185c0eda9a97d3dc8badd2a1ef8c9d8e85739cafa09729eb011499404b583941c51621b3afc3a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c2f8a0108f877d27cd9b1c61b822ccdd
SHA1 dcc92dac3155288d5422b9ea515d1e273813a567
SHA256 11becccd71a50f9529327472e5d741b194ca7ed95c6ebd0bf5b53b1b02ce7928
SHA512 38af35adf3d3cb1529803da7d5368306b776e3bd35c805429d09b83db809564d505b8ea6069ac65eb7b958e15d5ec16679ef7338658d8513fba3e8b8c3929629

memory/3992-334-0x0000000005B70000-0x0000000005EC4000-memory.dmp

memory/1400-344-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3992-345-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3500-346-0x0000000074620000-0x000000007466C000-memory.dmp

memory/3992-356-0x0000000074620000-0x000000007466C000-memory.dmp

memory/3500-366-0x0000000007A60000-0x0000000007B03000-memory.dmp

memory/3500-367-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/3500-368-0x0000000007D90000-0x0000000007DA4000-memory.dmp

memory/2456-393-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3020-387-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2292-378-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 970861e09c55a7db85a91f69e54a3efd
SHA1 552575920c25d2853c4863ce3437c6495b0d9454
SHA256 81fac62700a0f23a18bff33592e0ad45869ddfc623d08db38ef9915f9fac1390
SHA512 46a7bfc63b2306d9499bedd51659debea91d9df3fd1210d8446e2a643a2afe7525a23c7380f4dfb88b9dc1ef57fa142f303819d84ab662852921960062e1fcbf

memory/2680-419-0x0000000005730000-0x0000000005A84000-memory.dmp

memory/4668-425-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2680-430-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/3984-431-0x0000000074C90000-0x0000000074CDC000-memory.dmp

memory/2680-441-0x0000000074C90000-0x0000000074CDC000-memory.dmp

memory/3984-451-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/3984-452-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/3984-453-0x00000000078F0000-0x0000000007904000-memory.dmp

memory/908-463-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2952-478-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1008-477-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e6ad1634f27dcfb584a14c79b9441733
SHA1 309059e32ba075b3426b986d450ee358f4278d9f
SHA256 744c7988c09599917d699063982e691c5fbc0691b5504c21006c05b6126b007c
SHA512 bedd97b8b307af1098c31caec24d04e5a0c98915bebac848aafcaa7a93e1a517d2626d66ea7d539113b20d2d6b4449bc3e35627d01767780a5e442f685870750

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ae012b10c8426f306b8f7ec04a0ef683
SHA1 28bc178b15aebfc3a22f1c25459e6d70d0e50ddc
SHA256 30127ade2da32f3e082a1ccc2eabe504c0a45d1dbf1c11d490cf509c302d4597
SHA512 cc8c258d77897eee88ba5d6d5ed9b32357193e6b37443ebc13c998857c32cdb73a4508060a76872165dd35330f6eaf1cad64a90f4e2ace9a265ac305449fd525

memory/4224-498-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2180-516-0x0000000006160000-0x00000000064B4000-memory.dmp

memory/2180-518-0x00000000066E0000-0x000000000672C000-memory.dmp

memory/2180-519-0x00000000741E0000-0x000000007422C000-memory.dmp

memory/2180-529-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/728-530-0x00000000741E0000-0x000000007422C000-memory.dmp

memory/2180-540-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/2180-541-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

memory/3896-551-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp

MD5 6bd29c23d4fd5216caf7ea08408d57b9
SHA1 06ff6ad6acba395c906be9e48f2d134eed11610d
SHA256 82344290366c3e080ec892e3bdd182fa153840c258a27e31fdff45ea6409442c
SHA512 a707ac8efc23cad42b32f25f2cd04f74559851aa08c3e7c10ae83fb3ed15381dd66859d3105d3382c7af2f24246eb023803a5783670d4e6602518b9884befb4c

memory/1572-560-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1492-566-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 f8cae6849d7f2d680da8749e6bf13cef
SHA1 e5b78226b6cb174c8d1308350d6061c90fdf4320
SHA256 1c09234b3e0894ee6198b989cfaa938963e87425cc955747f1dfbb13f564a91f
SHA512 2bef888d3f329d7f55168746e52d53b866eb62886d8225e75e70e1ad208efefda3155ee8af16dc1c9cb602ab618e804a484bf4791e068c8ee614131c6268d1db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6cdf52264d8662efe314dc934c43d7c8
SHA1 cfceed8f063afdf8190e98a4d833e32a014a7ff6
SHA256 d714abb1e937f517a6a8ed279fc46a3d72ab7b921314aaf742a592e10459ddb4
SHA512 6e1a7b14ab4a4f94254c0feba838ad67194656a330a83f4a8df9af935e76ee6aa1991fa22b950fc4b3850ae5441c3324e7ce0382e764042e5ce8097b13a4b538

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 59ce14cb469b643419d8839fed458a4b
SHA1 b8991fda4a42ebbc7e46e42aa92f379233f26693
SHA256 4d582160ae73819a478ce67875fecdbb9cb4b95ad708aac36d47e68809f452fa
SHA512 9601c4262f0ad4b7ce95cf2e3f1450ee662235ff0b260432df45179daf2501ee0a800aa95c8815751a9a4f92bd348623c6457effd471c7db5c7b50076a3167b2

memory/3696-595-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5012-596-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/1708-606-0x0000000005620000-0x0000000005632000-memory.dmp

memory/5012-607-0x0000000006450000-0x000000000649C000-memory.dmp

memory/5012-608-0x0000000074BF0000-0x0000000074C3C000-memory.dmp

memory/5012-618-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/4624-619-0x0000000074BF0000-0x0000000074C3C000-memory.dmp

memory/5012-629-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/5012-630-0x0000000007400000-0x0000000007414000-memory.dmp

memory/4288-640-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4940-649-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2796-655-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d9cc7951ac13aa73d9c6486fdb7db8c3
SHA1 1e00abbd2a73ef0442c5601cb01ab414a41c52bf
SHA256 ce931d7d0ad25371e85285ccc7bc624b55635b8d18649dfdf7e1e4ff5e09cbeb
SHA512 b1fb1da201b11d0d0389c3bebf07a2920a57198a5fb481c827b554f3689cd8f0e294d07bd6b75d2296b0078c0ce2844fc824e7375ee54b7ae9492b9e5959a376

memory/1624-680-0x0000000006110000-0x0000000006464000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6edb02534e2f66e84e2a366e2bdc82db
SHA1 08038de3bff144d8367985e2567f947bbc98bad9
SHA256 aae9c53f8349e29d19dc3fda258242cfc40d38d88fe85983bbeeb735d0f1452f
SHA512 bfb04c71ed2e9228aa9578cbaff21ed0b7b7934891224c8b9f6c8bc56fc069af6aeecf30f76acf39f7b0b233a7aa7a0358a24eb10402bad668c532b11ff4a0bc

memory/3324-685-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-695-0x0000000006810000-0x000000000685C000-memory.dmp

memory/1624-696-0x00000000748B0000-0x00000000748FC000-memory.dmp

memory/1624-706-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/1716-707-0x00000000748B0000-0x00000000748FC000-memory.dmp

memory/1624-717-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

memory/1624-718-0x0000000007D30000-0x0000000007D44000-memory.dmp

memory/3504-728-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4748-737-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1952-743-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 0526c0f56031baaf8acadbb3cdfee076
SHA1 6acd9198020c65f9a146230d573f85492c49c249
SHA256 f35d9442a071376e9ea9743c1c7c54c638f825e08d4892a63aa99cf1b275da96
SHA512 71c81f2e5a02e28c9061e99e06c54445cc3cbc2fc43a82d5613143ab5d579f15e4d34e02f09b9af7f349fc70637c8ca7363ae2da86f16da40e0292ec130a39ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ed67071ba984025d27ead4b7562284aa
SHA1 ac4f0b52e74a97c87fd20e7df9b021edea92edb5
SHA256 b7bec274903e9d69c0aa470798f031d6e0ac281968a593cb5590bf90a0208d0e
SHA512 0eb49635a140768db70deae93abcf7978c277eff79e68827019f1c1b43693fa7e91d36bf66548fac918cdbc94c3dae34dc5e28055ea0e96f90fc8894d0577511

memory/3856-772-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2812-773-0x0000000005BE0000-0x0000000005F34000-memory.dmp

memory/2812-783-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/2812-784-0x0000000074830000-0x000000007487C000-memory.dmp

memory/2812-794-0x0000000007250000-0x00000000072F3000-memory.dmp

memory/448-795-0x0000000074830000-0x000000007487C000-memory.dmp

memory/2812-805-0x0000000007530000-0x0000000007541000-memory.dmp

memory/2812-806-0x0000000007580000-0x0000000007594000-memory.dmp

memory/864-817-0x0000000000400000-0x000000000041B000-memory.dmp

memory/908-825-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3772-831-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 271d1c0d6fe3e20f2b9b23298ea81796
SHA1 6134c3d2ec1448ba25ca80b3acf58a0c8c223a27
SHA256 b635244769e234bdbdca5d5723118b34cb54fc39483c6ae00df1223030ab8f3e
SHA512 72286aea50d14b975d3682e823d497c6abcc5cb2e37e294d1c30aa7a1bdeba3909b05c9d8377acfeedbd51989abbc0a0fba5b27fcafe264b7c7bfa2d12a7c4cb

memory/1708-851-0x0000000006200000-0x0000000006554000-memory.dmp

memory/4680-870-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1144-871-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/1144-872-0x0000000074590000-0x00000000745DC000-memory.dmp

memory/1708-882-0x0000000074590000-0x00000000745DC000-memory.dmp

memory/1144-892-0x00000000079E0000-0x0000000007A83000-memory.dmp

memory/1144-893-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

memory/1144-894-0x0000000007D10000-0x0000000007D24000-memory.dmp