neshta | f3e9c213d0e32dc314919c6932b1924d7c97c82c5dcb846179436f75660381d1

Analysis

max time kernel
119s
max time network
124s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-12-2021 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
Size

930KB
MD5

f216fec248b643e7def093cb7fdddb2c
SHA1

e13794371af188551bdd02e4d569d71b51fae2d3
SHA256

f3e9c213d0e32dc314919c6932b1924d7c97c82c5dcb846179436f75660381d1
SHA512

b1de56cd14f7a6cc708b46e7b764538abc78b8d309be6ee5c3923a6152cca044bf945f726c9922566ab793c57adc76f90dedb8bf5fd4a2f2a091c73fb6c062e6

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 37 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

svchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXE

pid	process
3504	svchost.exe
3676	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
3652	svchost.exe
780	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
4024	svchost.exe
4032	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
3980	svchost.com
4212	C6DFFC~1.EXE
4332	svchost.com
4388	C6DFFC~1.EXE
4340	svchost.com
4320	C6DFFC~1.EXE
4412	svchost.com
4508	C6DFFC~1.EXE
3320	svchost.com
540	C6DFFC~1.EXE
884	svchost.com
444	C6DFFC~1.EXE
1180	svchost.com
1312	C6DFFC~1.EXE
1608	svchost.com
1836	C6DFFC~1.EXE
2104	svchost.com
2264	C6DFFC~1.EXE
2648	svchost.com
2964	C6DFFC~1.EXE
4256	svchost.com
4776	C6DFFC~1.EXE
4892	svchost.com
4912	C6DFFC~1.EXE
2608	svchost.com
3592	C6DFFC~1.EXE
4844	svchost.com
4576	C6DFFC~1.EXE
4280	svchost.com
4284	C6DFFC~1.EXE
2628	svchost.com
2364	C6DFFC~1.EXE
1100	svchost.com
2092	C6DFFC~1.EXE
2436	svchost.com
1236	C6DFFC~1.EXE
4584	svchost.com
4732	C6DFFC~1.EXE
3724	svchost.com
996	C6DFFC~1.EXE
1340	svchost.com
1240	C6DFFC~1.EXE
1580	svchost.com
1680	C6DFFC~1.EXE
1948	svchost.com
1976	C6DFFC~1.EXE
4416	svchost.com
4240	C6DFFC~1.EXE
3552	svchost.com
1716	C6DFFC~1.EXE
1444	svchost.com
2584	C6DFFC~1.EXE
1632	svchost.com
3688	C6DFFC~1.EXE
3252	svchost.com
3204	C6DFFC~1.EXE
2136	svchost.com
4984	C6DFFC~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe

Drops file in Windows directory 64 IoCs

Processes:

C6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEc6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.comsvchost.comsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEsvchost.comsvchost.comC6DFFC~1.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C6DFFC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C6DFFC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

C6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEc6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exeC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXEC6DFFC~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	C6DFFC~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.exec6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exesvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXEsvchost.comC6DFFC~1.EXE

description	pid	process	target process
PID 3376 wrote to memory of 3504	3376	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 3376 wrote to memory of 3504	3376	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 3376 wrote to memory of 3504	3376	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 3504 wrote to memory of 3676	3504	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 3504 wrote to memory of 3676	3504	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 3504 wrote to memory of 3676	3504	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 3676 wrote to memory of 780	3676	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 3676 wrote to memory of 780	3676	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 3676 wrote to memory of 780	3676	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 780 wrote to memory of 4024	780	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 780 wrote to memory of 4024	780	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 780 wrote to memory of 4024	780	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.exe
PID 4024 wrote to memory of 4032	4024	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 4024 wrote to memory of 4032	4024	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 4024 wrote to memory of 4032	4024	svchost.exe	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
PID 4032 wrote to memory of 3980	4032	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.com
PID 4032 wrote to memory of 3980	4032	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.com
PID 4032 wrote to memory of 3980	4032	c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe	svchost.com
PID 3980 wrote to memory of 4212	3980	svchost.com	C6DFFC~1.EXE
PID 3980 wrote to memory of 4212	3980	svchost.com	C6DFFC~1.EXE
PID 3980 wrote to memory of 4212	3980	svchost.com	C6DFFC~1.EXE
PID 4212 wrote to memory of 4332	4212	C6DFFC~1.EXE	svchost.com
PID 4212 wrote to memory of 4332	4212	C6DFFC~1.EXE	svchost.com
PID 4212 wrote to memory of 4332	4212	C6DFFC~1.EXE	svchost.com
PID 4332 wrote to memory of 4388	4332	svchost.com	C6DFFC~1.EXE
PID 4332 wrote to memory of 4388	4332	svchost.com	C6DFFC~1.EXE
PID 4332 wrote to memory of 4388	4332	svchost.com	C6DFFC~1.EXE
PID 4388 wrote to memory of 4340	4388	C6DFFC~1.EXE	svchost.com
PID 4388 wrote to memory of 4340	4388	C6DFFC~1.EXE	svchost.com
PID 4388 wrote to memory of 4340	4388	C6DFFC~1.EXE	svchost.com
PID 4340 wrote to memory of 4320	4340	svchost.com	C6DFFC~1.EXE
PID 4340 wrote to memory of 4320	4340	svchost.com	C6DFFC~1.EXE
PID 4340 wrote to memory of 4320	4340	svchost.com	C6DFFC~1.EXE
PID 4320 wrote to memory of 4412	4320	C6DFFC~1.EXE	svchost.com
PID 4320 wrote to memory of 4412	4320	C6DFFC~1.EXE	svchost.com
PID 4320 wrote to memory of 4412	4320	C6DFFC~1.EXE	svchost.com
PID 4412 wrote to memory of 4508	4412	svchost.com	C6DFFC~1.EXE
PID 4412 wrote to memory of 4508	4412	svchost.com	C6DFFC~1.EXE
PID 4412 wrote to memory of 4508	4412	svchost.com	C6DFFC~1.EXE
PID 4508 wrote to memory of 3320	4508	C6DFFC~1.EXE	svchost.com
PID 4508 wrote to memory of 3320	4508	C6DFFC~1.EXE	svchost.com
PID 4508 wrote to memory of 3320	4508	C6DFFC~1.EXE	svchost.com
PID 3320 wrote to memory of 540	3320	svchost.com	C6DFFC~1.EXE
PID 3320 wrote to memory of 540	3320	svchost.com	C6DFFC~1.EXE
PID 3320 wrote to memory of 540	3320	svchost.com	C6DFFC~1.EXE
PID 540 wrote to memory of 884	540	C6DFFC~1.EXE	svchost.com
PID 540 wrote to memory of 884	540	C6DFFC~1.EXE	svchost.com
PID 540 wrote to memory of 884	540	C6DFFC~1.EXE	svchost.com
PID 884 wrote to memory of 444	884	svchost.com	C6DFFC~1.EXE
PID 884 wrote to memory of 444	884	svchost.com	C6DFFC~1.EXE
PID 884 wrote to memory of 444	884	svchost.com	C6DFFC~1.EXE
PID 444 wrote to memory of 1180	444	C6DFFC~1.EXE	svchost.com
PID 444 wrote to memory of 1180	444	C6DFFC~1.EXE	svchost.com
PID 444 wrote to memory of 1180	444	C6DFFC~1.EXE	svchost.com
PID 1180 wrote to memory of 1312	1180	svchost.com	C6DFFC~1.EXE
PID 1180 wrote to memory of 1312	1180	svchost.com	C6DFFC~1.EXE
PID 1180 wrote to memory of 1312	1180	svchost.com	C6DFFC~1.EXE
PID 1312 wrote to memory of 1608	1312	C6DFFC~1.EXE	svchost.com
PID 1312 wrote to memory of 1608	1312	C6DFFC~1.EXE	svchost.com
PID 1312 wrote to memory of 1608	1312	C6DFFC~1.EXE	svchost.com
PID 1608 wrote to memory of 1836	1608	svchost.com	C6DFFC~1.EXE
PID 1608 wrote to memory of 1836	1608	svchost.com	C6DFFC~1.EXE
PID 1608 wrote to memory of 1836	1608	svchost.com	C6DFFC~1.EXE
PID 1836 wrote to memory of 2104	1836	C6DFFC~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
23⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
24⤵
- Executes dropped EXE
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
25⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
26⤵
- Executes dropped EXE
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
27⤵
- Executes dropped EXE
PID:4256

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
28⤵
- Executes dropped EXE
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
29⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
31⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
32⤵
- Executes dropped EXE
PID:3592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
33⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
35⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
36⤵
- Executes dropped EXE
- Modifies registry class
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
37⤵
- Executes dropped EXE
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
38⤵
- Executes dropped EXE
PID:2364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
39⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
40⤵
- Executes dropped EXE
PID:2092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
41⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
42⤵
- Executes dropped EXE
PID:1236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
43⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
44⤵
- Executes dropped EXE
- Modifies registry class
PID:4732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
45⤵
- Executes dropped EXE
PID:3724

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
46⤵
- Executes dropped EXE
PID:996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
47⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
48⤵
- Executes dropped EXE
PID:1240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
49⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
50⤵
- Executes dropped EXE
PID:1680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
52⤵
- Executes dropped EXE
PID:1976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
53⤵
- Executes dropped EXE
PID:4416

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
54⤵
- Executes dropped EXE
PID:4240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
55⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
56⤵
- Executes dropped EXE
- Modifies registry class
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
57⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
58⤵
- Executes dropped EXE
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
59⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
60⤵
- Executes dropped EXE
PID:3688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
61⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
63⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
65⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
66⤵
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
67⤵
- Drops file in Windows directory
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
68⤵
- Modifies registry class
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
69⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
70⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
71⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
72⤵
PID:4172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
73⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
74⤵
PID:4452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
75⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
76⤵
PID:4336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
77⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
78⤵
PID:3832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
79⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
80⤵
PID:4244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
81⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
82⤵
PID:944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
83⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
84⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
85⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
86⤵
PID:1116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
87⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
88⤵
PID:1248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
89⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
90⤵
PID:1368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
91⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
92⤵
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
93⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
94⤵
PID:2432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
95⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
96⤵
PID:4260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
97⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
98⤵
PID:4028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
99⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
100⤵
PID:3200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
101⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
102⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
103⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
104⤵
PID:1332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
105⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
106⤵
PID:4916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
107⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
108⤵
- Modifies registry class
PID:4556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
109⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
110⤵
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
111⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
112⤵
- Drops file in Windows directory
PID:2624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
113⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
114⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
115⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
116⤵
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
117⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
118⤵
- Drops file in Windows directory
PID:2436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
119⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
120⤵
- Modifies registry class
PID:912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
121⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
122⤵
PID:388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
123⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
124⤵
PID:1340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
125⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
126⤵
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
127⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
128⤵
PID:2744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
129⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
130⤵
PID:2876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
131⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
132⤵
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
133⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
134⤵
PID:1444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
135⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
136⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
137⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
138⤵
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
139⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
140⤵
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
141⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
142⤵
PID:3624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
143⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
144⤵
- Modifies registry class
PID:4040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
145⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
146⤵
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
147⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
148⤵
- Modifies registry class
PID:4160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
149⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
150⤵
PID:4364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
151⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
152⤵
PID:4464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
153⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
154⤵
PID:3928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
155⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
156⤵
PID:4408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
157⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
158⤵
PID:612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
159⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
160⤵
PID:892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
161⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
162⤵
PID:1096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
163⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
164⤵
- Drops file in Windows directory
PID:444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
165⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
166⤵
- Modifies registry class
PID:2148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
167⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
168⤵
PID:1380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
169⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
170⤵
PID:2928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
171⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
172⤵
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
173⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
174⤵
- Drops file in Windows directory
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
175⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
176⤵
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
177⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
178⤵
PID:3548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
179⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
180⤵
- Modifies registry class
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
181⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
182⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
183⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
184⤵
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
185⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
186⤵
- Modifies registry class
PID:4564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
187⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
188⤵
PID:4292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
189⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
190⤵
PID:740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
191⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
192⤵
- Drops file in Windows directory
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
193⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
194⤵
PID:4632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
195⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
196⤵
PID:2164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
197⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
198⤵
- Modifies registry class
PID:1336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
199⤵
- Drops file in Windows directory
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
200⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
201⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
202⤵
PID:2948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
203⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
204⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
205⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
206⤵
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
207⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
208⤵
- Drops file in Windows directory
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
209⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
210⤵
PID:3648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
211⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
212⤵
PID:3268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
213⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
214⤵
- Modifies registry class
PID:3264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
215⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
216⤵
PID:3544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
217⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
218⤵
PID:3540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
219⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
220⤵
- Modifies registry class
PID:4048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
221⤵
- Drops file in Windows directory
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
222⤵
- Modifies registry class
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
223⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
224⤵
- Modifies registry class
PID:4312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
225⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
226⤵
- Modifies registry class
PID:4468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
227⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
228⤵
PID:4348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
229⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
230⤵
PID:400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
231⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
232⤵
- Modifies registry class
PID:4412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
233⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
234⤵
PID:448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
235⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
236⤵
- Modifies registry class
PID:1188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
237⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
238⤵
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
239⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
240⤵
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
241⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
242⤵
PID:2928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
243⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
244⤵
- Modifies registry class
PID:2408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
245⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
246⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
247⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
248⤵
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
249⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
250⤵
PID:2768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
251⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
252⤵
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
253⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
254⤵
PID:4868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
255⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
256⤵
PID:4560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
257⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
258⤵
PID:4268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
259⤵
- Drops file in Windows directory
PID:5008

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
260⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
261⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
262⤵
PID:624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
263⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
264⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
265⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
266⤵
- Modifies registry class
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
267⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
268⤵
PID:996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
269⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
270⤵
PID:4140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
271⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
272⤵
PID:1968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
273⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
274⤵
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
275⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
276⤵
PID:2708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
277⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
278⤵
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
279⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
280⤵
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
281⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
282⤵
- Modifies registry class
PID:2988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
283⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
284⤵
- Drops file in Windows directory
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
285⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
286⤵
- Drops file in Windows directory
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
287⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
288⤵
PID:3820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
289⤵
- Drops file in Windows directory
PID:3376

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
290⤵
PID:4148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
291⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
292⤵
PID:4012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
293⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
294⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
295⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
296⤵
PID:4160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
297⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
298⤵
PID:4364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
299⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
300⤵
PID:4464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
301⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
302⤵
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
303⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
304⤵
PID:4244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
305⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
306⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
307⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
308⤵
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
309⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
310⤵
PID:2248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
311⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
312⤵
- Modifies registry class
PID:2212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
313⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
314⤵
PID:2524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
315⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
316⤵
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
317⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
318⤵
- Drops file in Windows directory
PID:3560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
319⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
320⤵
PID:4832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
321⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
322⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
323⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
324⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
325⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
326⤵
PID:1604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
327⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
328⤵
PID:3592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
329⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
330⤵
- Modifies registry class
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
331⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
332⤵
PID:2092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
333⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
334⤵
PID:3024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
335⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
336⤵
- Drops file in Windows directory
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
337⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
338⤵
PID:1236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
339⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
340⤵
- Modifies registry class
PID:4728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
341⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
342⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
343⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
344⤵
- Modifies registry class
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
345⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
346⤵
PID:1680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
347⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
348⤵
- Modifies registry class
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
349⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
350⤵
PID:64

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
351⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
352⤵
PID:2168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
353⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
354⤵
PID:3216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
355⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
356⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
357⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
358⤵
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
359⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
360⤵
PID:4988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
361⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
362⤵
- Drops file in Windows directory
PID:3800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
363⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
364⤵
PID:4020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
365⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
366⤵
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
367⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
368⤵
- Modifies registry class
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
369⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
370⤵
PID:4452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
371⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
372⤵
PID:3236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
373⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
374⤵
PID:3832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
375⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
376⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
377⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
378⤵
PID:836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
379⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
380⤵
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
381⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
382⤵
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
383⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
384⤵
PID:3256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
385⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
386⤵
- Drops file in Windows directory
- Modifies registry class
PID:2452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
387⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
388⤵
PID:3224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
389⤵
- Drops file in Windows directory
PID:2640

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
390⤵
PID:1388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
391⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
392⤵
- Modifies registry class
PID:4792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
393⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
394⤵
PID:972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
395⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
396⤵
PID:4916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
397⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
398⤵
PID:4844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
399⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
400⤵
- Modifies registry class
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
401⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
402⤵
PID:2368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
403⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
404⤵
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
405⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
406⤵
PID:3572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
407⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
408⤵
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
409⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
410⤵
PID:3580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
411⤵
- Drops file in Windows directory
PID:736

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
412⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
413⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
414⤵
PID:2184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
415⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
416⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
417⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
418⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
419⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
420⤵
PID:2904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
421⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
422⤵
PID:3840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
423⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
424⤵
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
425⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
426⤵
- Modifies registry class
PID:3732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
427⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
428⤵
PID:3696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
429⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
430⤵
- Modifies registry class
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
431⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
432⤵
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
433⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
434⤵
- Modifies registry class
PID:3440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
435⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
436⤵
- Drops file in Windows directory
PID:4040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
437⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
438⤵
PID:4376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
439⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
440⤵
PID:4312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
441⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
442⤵
PID:4328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
443⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
444⤵
PID:4348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
445⤵
- Drops file in Windows directory
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
446⤵
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
447⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
448⤵
PID:544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
449⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
450⤵
PID:452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
451⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
452⤵
PID:1920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
453⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
454⤵
PID:1816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
455⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
456⤵
PID:2432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
457⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
458⤵
PID:2104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
459⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
460⤵
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
461⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
462⤵
PID:2648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
463⤵
- Drops file in Windows directory
PID:3200

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
464⤵
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
465⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
466⤵
PID:4832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
467⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
468⤵
PID:2656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
469⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
470⤵
PID:4556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
471⤵
- Drops file in Windows directory
PID:4296

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
472⤵
- Drops file in Windows directory
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
473⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
474⤵
PID:3592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
475⤵
- Drops file in Windows directory
PID:2624

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
476⤵
PID:4292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
477⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
478⤵
PID:948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
479⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
480⤵
PID:5000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
481⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
482⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
483⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
484⤵
PID:996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
485⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
486⤵
- Modifies registry class
PID:2072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
487⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
488⤵
PID:4800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
489⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
490⤵
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
491⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
492⤵
PID:2704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
493⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
494⤵
PID:1392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
495⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
496⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
497⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
498⤵
PID:1444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
499⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
500⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
501⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
502⤵
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
503⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
504⤵
PID:3540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
505⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
506⤵
PID:4572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
507⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
508⤵
PID:4012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
509⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
510⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
511⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
512⤵
PID:4380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
513⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
514⤵
PID:4448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
515⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
516⤵
PID:4324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
517⤵
- Drops file in Windows directory
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
518⤵
- Drops file in Windows directory
PID:3228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
519⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
520⤵
- Drops file in Windows directory
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
521⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
522⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
523⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
524⤵
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
525⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
526⤵
PID:1920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
527⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
528⤵
PID:3008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
529⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
530⤵
PID:3016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
531⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
532⤵
PID:2408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
533⤵
- Drops file in Windows directory
PID:4920

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
534⤵
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
535⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
536⤵
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
537⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
538⤵
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
539⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
540⤵
PID:1228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
541⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
542⤵
PID:4908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
543⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
544⤵
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
545⤵
- Drops file in Windows directory
PID:5032

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
546⤵
- Modifies registry class
PID:5024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
547⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
548⤵
PID:5008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
549⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
550⤵
PID:4292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
551⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
552⤵
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
553⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
554⤵
- Modifies registry class
PID:5040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
555⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
556⤵
PID:3724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
557⤵
- Drops file in Windows directory
PID:996

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
558⤵
- Drops file in Windows directory
PID:1928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
559⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
560⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
561⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
562⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
563⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
564⤵
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
565⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
566⤵
PID:3840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
567⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
568⤵
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
569⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
570⤵
PID:1996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
571⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
572⤵
PID:1444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
573⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
574⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
575⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
576⤵
PID:3820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
577⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
578⤵
PID:4148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
579⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
580⤵
- Modifies registry class
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
581⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
582⤵
- Modifies registry class
PID:4196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
583⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
584⤵
- Drops file in Windows directory
- Modifies registry class
PID:4304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
585⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
586⤵
- Modifies registry class
PID:4340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
587⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
588⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
589⤵
- Drops file in Windows directory
PID:4324

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
590⤵
PID:3476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
591⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
592⤵
PID:4236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
593⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
594⤵
- Drops file in Windows directory
PID:612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
595⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
596⤵
PID:884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
597⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
598⤵
- Modifies registry class
PID:2232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
599⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
600⤵
- Drops file in Windows directory
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
601⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
602⤵
PID:3248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
603⤵
- Modifies registry class
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
604⤵
- Drops file in Windows directory
PID:2992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
605⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
606⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
607⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
608⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
609⤵
- Modifies registry class
PID:4404

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
610⤵
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
611⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
612⤵
- Modifies registry class
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
613⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
614⤵
PID:4864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
615⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
616⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
617⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
618⤵
- Drops file in Windows directory
- Modifies registry class
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
619⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
620⤵
- Modifies registry class
PID:424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
621⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
622⤵
PID:716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
623⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
624⤵
- Modifies registry class
PID:4720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
625⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
626⤵
- Drops file in Windows directory
- Modifies registry class
PID:4992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
627⤵
- Drops file in Windows directory
PID:1304

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
628⤵
- Modifies registry class
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
629⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
630⤵
- Modifies registry class
PID:4728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
631⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
632⤵
- Modifies registry class
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
633⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
634⤵
PID:1680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
635⤵
- Drops file in Windows directory
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
636⤵
- Drops file in Windows directory
PID:2504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
637⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
638⤵
PID:4672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
639⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
640⤵
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
641⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
642⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
643⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
644⤵
PID:2584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
645⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
646⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
647⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
648⤵
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
649⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
650⤵
PID:4036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
651⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
652⤵
- Drops file in Windows directory
- Modifies registry class
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
653⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
654⤵
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
655⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
656⤵
PID:4180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
657⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
658⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
659⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
660⤵
- Modifies registry class
PID:4388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
661⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
662⤵
- Modifies registry class
PID:4324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
663⤵
- Drops file in Windows directory
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
664⤵
PID:4244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
665⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
666⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
667⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
668⤵
PID:4412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
669⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
670⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
671⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
672⤵
PID:1380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
673⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
674⤵
- Modifies registry class
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
675⤵
- Drops file in Windows directory
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
676⤵
PID:2412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
677⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
678⤵
PID:3828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
679⤵
- Drops file in Windows directory
PID:2256

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
680⤵
PID:3560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
681⤵
- Drops file in Windows directory
PID:3200

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
682⤵
PID:4936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
683⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
684⤵
PID:3548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
685⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
686⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
687⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
688⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
689⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
690⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
691⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
692⤵
PID:4560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
693⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
694⤵
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
695⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
696⤵
PID:2496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
697⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
698⤵
- Drops file in Windows directory
PID:948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
699⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
700⤵
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
701⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
702⤵
PID:4976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
703⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
704⤵
- Modifies registry class
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
705⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
706⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
707⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
708⤵
- Modifies registry class
PID:2652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
709⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
710⤵
PID:3856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
711⤵
- Drops file in Windows directory
PID:4400

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
712⤵
- Drops file in Windows directory
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
713⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
714⤵
PID:3712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
715⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
716⤵
PID:3720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
717⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
718⤵
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
719⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
720⤵
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
721⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
722⤵
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
723⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
724⤵
- Modifies registry class
PID:2160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
725⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
726⤵
PID:3540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
727⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
728⤵
- Drops file in Windows directory
PID:4048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
729⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
730⤵
- Drops file in Windows directory
- Modifies registry class
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
731⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
732⤵
PID:4164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
733⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
734⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
735⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
736⤵
- Modifies registry class
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
737⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
738⤵
PID:3228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE"
739⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
740⤵
PID:940

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\C6DFFC~1.EXE
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
ae835d3a0d2b4bf5f5a771c76818dd32

SHA1
eee03f5995069a58a707ccd09cfb5390f1ee4878

SHA256
88f047e7f608c1e648345d71a354c2b30b5cc9ea9b70ef14910a65a06a2ab478

SHA512
b827c77a3bba68ae2295c5827cbfc669be8d525f1db0d724077ca353a9a5c1fcaf7d281ea2329d6bd8938c2bb9cb156206599f4f38b86e2182bb9b49d8d8977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
ae835d3a0d2b4bf5f5a771c76818dd32

SHA1
eee03f5995069a58a707ccd09cfb5390f1ee4878

SHA256
88f047e7f608c1e648345d71a354c2b30b5cc9ea9b70ef14910a65a06a2ab478

SHA512
b827c77a3bba68ae2295c5827cbfc669be8d525f1db0d724077ca353a9a5c1fcaf7d281ea2329d6bd8938c2bb9cb156206599f4f38b86e2182bb9b49d8d8977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
a9b2abf5ea925775c9631cdcb42ceee0

SHA1
3cd5708dc7da9d4baefef2b8d99b504fae863d76

SHA256
6c5cc3735d26d69bffa0e44340e9758e38199c380fe0a50c579b092a80e09724

SHA512
5e1f541a4ed8265ae2f9ba10b50c00e5799241a2db0ff95df02a17b13e58e6638a3cc3596be3bb5e50dae34da5dccb717c955a64aea9f57aff21f1184a28a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
d095f01e1146508f0fdf242615a183f3

SHA1
3889ae67f1ee63cc37395ee51b455748d4710a92

SHA256
ebda8f08ed000f4d6cd36dbcd9fc2fd4ca0c992b0970464538abd59a51acfc88

SHA512
6c4745f22de361869713011db9417474bd01d39a5953614792764e4061b610e891713533ef4b7af39760f2a057d036ed124a2eb8fc0d533b74e986fc79b32815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\c6dffc4e-7a0d-4cb0-9a3a-b3e327e0d1dd_1003.exe
MD5
d095f01e1146508f0fdf242615a183f3

SHA1
3889ae67f1ee63cc37395ee51b455748d4710a92

SHA256
ebda8f08ed000f4d6cd36dbcd9fc2fd4ca0c992b0970464538abd59a51acfc88

SHA512
6c4745f22de361869713011db9417474bd01d39a5953614792764e4061b610e891713533ef4b7af39760f2a057d036ed124a2eb8fc0d533b74e986fc79b32815

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\directx.sys
MD5
d03efa10ae508c9ab0a5ef6d667bac38

SHA1
deba4d0adcb7749ba28030240fd87f731db127f2

SHA256
f7f984f9e9ef9c079f1e0171594442b3e155e009d00e79f26b2431be3c639757

SHA512
5b454b02baab2e81beb3bde551e780421f75669db8b10847d9d8ed90e2a2d2a0bdebf541165f6ab76d0871bd5338821157f478973869444cbbceccdf655f64a9

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/444-164-0x0000000000000000-mapping.dmp

Download
memory/540-158-0x0000000000000000-mapping.dmp

Download
memory/780-122-0x0000000000000000-mapping.dmp

Download
memory/884-161-0x0000000000000000-mapping.dmp

Download
memory/996-223-0x0000000000000000-mapping.dmp

Download
memory/1100-216-0x0000000000000000-mapping.dmp

Download
memory/1180-167-0x0000000000000000-mapping.dmp

Download
memory/1236-219-0x0000000000000000-mapping.dmp

Download
memory/1240-225-0x0000000000000000-mapping.dmp

Download
memory/1312-170-0x0000000000000000-mapping.dmp

Download
memory/1340-224-0x0000000000000000-mapping.dmp

Download
memory/1444-234-0x0000000000000000-mapping.dmp

Download
memory/1580-226-0x0000000000000000-mapping.dmp

Download
memory/1608-173-0x0000000000000000-mapping.dmp

Download
memory/1632-236-0x0000000000000000-mapping.dmp

Download
memory/1680-227-0x0000000000000000-mapping.dmp

Download
memory/1716-233-0x0000000000000000-mapping.dmp

Download
memory/1836-177-0x0000000000000000-mapping.dmp

Download
memory/1948-228-0x0000000000000000-mapping.dmp

Download
memory/1976-229-0x0000000000000000-mapping.dmp

Download
memory/2092-217-0x0000000000000000-mapping.dmp

Download
memory/2104-179-0x0000000000000000-mapping.dmp

Download
memory/2136-240-0x0000000000000000-mapping.dmp

Download
memory/2264-182-0x0000000000000000-mapping.dmp

Download
memory/2364-215-0x0000000000000000-mapping.dmp

Download
memory/2436-218-0x0000000000000000-mapping.dmp

Download
memory/2584-235-0x0000000000000000-mapping.dmp

Download
memory/2608-208-0x0000000000000000-mapping.dmp

Download
memory/2628-214-0x0000000000000000-mapping.dmp

Download
memory/2648-185-0x0000000000000000-mapping.dmp

Download
memory/2964-189-0x0000000000000000-mapping.dmp

Download
memory/3204-239-0x0000000000000000-mapping.dmp

Download
memory/3252-238-0x0000000000000000-mapping.dmp

Download
memory/3320-155-0x0000000000000000-mapping.dmp

Download
memory/3440-242-0x0000000000000000-mapping.dmp

Download
memory/3504-115-0x0000000000000000-mapping.dmp

Download
memory/3552-232-0x0000000000000000-mapping.dmp

Download
memory/3592-209-0x0000000000000000-mapping.dmp

Download
memory/3676-118-0x0000000000000000-mapping.dmp

Download
memory/3688-237-0x0000000000000000-mapping.dmp

Download
memory/3724-222-0x0000000000000000-mapping.dmp

Download
memory/3980-130-0x0000000000000000-mapping.dmp

Download
memory/4024-125-0x0000000000000000-mapping.dmp

Download
memory/4032-127-0x0000000000000000-mapping.dmp

Download
memory/4212-133-0x0000000000000000-mapping.dmp

Download
memory/4240-231-0x0000000000000000-mapping.dmp

Download
memory/4256-199-0x0000000000000000-mapping.dmp

Download
memory/4280-212-0x0000000000000000-mapping.dmp

Download
memory/4284-213-0x0000000000000000-mapping.dmp

Download
memory/4320-147-0x0000000000000000-mapping.dmp

Download
memory/4332-137-0x0000000000000000-mapping.dmp

Download
memory/4340-143-0x0000000000000000-mapping.dmp

Download
memory/4388-141-0x0000000000000000-mapping.dmp

Download
memory/4412-149-0x0000000000000000-mapping.dmp

Download
memory/4416-230-0x0000000000000000-mapping.dmp

Download
memory/4508-153-0x0000000000000000-mapping.dmp

Download
memory/4576-211-0x0000000000000000-mapping.dmp

Download
memory/4584-220-0x0000000000000000-mapping.dmp

Download
memory/4732-221-0x0000000000000000-mapping.dmp

Download
memory/4776-203-0x0000000000000000-mapping.dmp

Download
memory/4844-210-0x0000000000000000-mapping.dmp

Download
memory/4892-205-0x0000000000000000-mapping.dmp

Download
memory/4912-207-0x0000000000000000-mapping.dmp

Download
memory/4984-241-0x0000000000000000-mapping.dmp

Download