neshta | af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8

Analysis

max time kernel
173s
max time network
171s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
Size

247KB
MD5

d19dd26e8431e2bf91a977e6cbda25ae
SHA1

5632744a3749814de3964a505091ab368ad1b20b
SHA256

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8
SHA512

1d9b09edb34c1c68024279ab3487b17cf67e2e395cd8a109ff3c1e2d23dadf96c163431019542e58755f294a2dae593b6fb3c7f1b88eca2007629e40dff8d358

Score

10^/10

neshta sodinokibi persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta Payload 35 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Executes dropped EXE 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exesvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.com

pid	process
4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
4220	svchost.com
4256	AF47F8~1.EXE
4212	svchost.com
4368	AF47F8~1.EXE
4388	svchost.com
4316	AF47F8~1.EXE
3280	svchost.com
3880	AF47F8~1.EXE
3704	svchost.com
3352	AF47F8~1.EXE
672	svchost.com
764	AF47F8~1.EXE
1068	svchost.com
1232	AF47F8~1.EXE
1448	svchost.com
1624	AF47F8~1.EXE
1876	svchost.com
2056	AF47F8~1.EXE
2340	svchost.com
2564	AF47F8~1.EXE
2660	svchost.com
2692	AF47F8~1.EXE
3964	svchost.com
3164	AF47F8~1.EXE
4816	svchost.com
1312	AF47F8~1.EXE
1892	svchost.com
2956	AF47F8~1.EXE
4900	svchost.com
4544	AF47F8~1.EXE
3932	svchost.com
3152	AF47F8~1.EXE
4880	svchost.com
5048	AF47F8~1.EXE
2604	svchost.com
5040	AF47F8~1.EXE
1088	svchost.com
600	AF47F8~1.EXE
732	svchost.com
2436	AF47F8~1.EXE
4988	svchost.com
356	AF47F8~1.EXE
688	svchost.com
1252	AF47F8~1.EXE
4508	svchost.com
4500	AF47F8~1.EXE
1420	svchost.com
2296	AF47F8~1.EXE
2260	svchost.com
1860	AF47F8~1.EXE
1948	svchost.com
2024	AF47F8~1.EXE
4440	svchost.com
2236	AF47F8~1.EXE
4164	svchost.com
2904	AF47F8~1.EXE
3004	svchost.com
4000	AF47F8~1.EXE
3916	svchost.com
3788	AF47F8~1.EXE
3920	svchost.com
3776	AF47F8~1.EXE
3124	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exeaf47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comsvchost.comAF47F8~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

AF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exeaf47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exesvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXE

description	pid	process	target process
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2564 wrote to memory of 2660	2564	AF47F8~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
"C:\Users\Admin\AppData\Local\Temp\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
1⤵
- Executes dropped EXE
PID:3164
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
  2⤵
  - Executes dropped EXE
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
    3⤵
    - Executes dropped EXE
    PID:1312
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
      4⤵
      Executes dropped EXE
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:2956
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        6⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        7⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        8⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        9⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        10⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        11⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        12⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        13⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        14⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        15⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        16⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        17⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        18⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        19⤵
        Executes dropped EXE
        
        PID:356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        20⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        21⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        22⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        23⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        24⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        25⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        26⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        27⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        28⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        29⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        30⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        32⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        33⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        34⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        35⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        36⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        37⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        38⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        39⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        40⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        41⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        42⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        43⤵
        
        PID:344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        44⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        45⤵
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        46⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        47⤵
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        48⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        49⤵
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        50⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        51⤵
        
        PID:3264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        52⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        53⤵
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        54⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        55⤵
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        56⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        57⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        58⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        59⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        60⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        61⤵
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        62⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        63⤵
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        64⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        65⤵
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        66⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        67⤵
        
        PID:3288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        68⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        69⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        70⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        71⤵
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        72⤵
        
        PID:3740

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
1⤵
PID:3968
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
    3⤵
    PID:4536
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
      4⤵
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        5⤵
        
        PID:4816
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        6⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        7⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        8⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        9⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        10⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        11⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        12⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        13⤵
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        14⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        15⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        16⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        17⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        18⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        19⤵
        Drops file in Windows directory
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        20⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        21⤵
        
        PID:4904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        22⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        23⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        24⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        25⤵
        Modifies registry class
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        26⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        27⤵
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        28⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        29⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        30⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        31⤵
        Modifies registry class
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        32⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        33⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        34⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        35⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        36⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        37⤵
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        38⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        39⤵
        
        PID:4736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        40⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        41⤵
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        42⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        43⤵
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        44⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        45⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        46⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        47⤵
        
        PID:4360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        48⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        49⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        50⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        51⤵
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        52⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        53⤵
        
        PID:4388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        54⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        55⤵
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        56⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        57⤵
        Modifies registry class
        
        PID:580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        58⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        59⤵
        
        PID:428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        60⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        61⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        62⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        63⤵
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        64⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        65⤵
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        66⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        67⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        68⤵
        Drops file in Windows directory
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        69⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        70⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        71⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        72⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        73⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        74⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        75⤵
        Modifies registry class
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        76⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        77⤵
        
        PID:3964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        78⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        79⤵
        
        PID:1168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        80⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        81⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        82⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        83⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        84⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        85⤵
        Modifies registry class
        
        PID:3128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        86⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        87⤵
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        88⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        89⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        90⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        91⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        92⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        93⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        94⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        95⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        96⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        97⤵
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        98⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        99⤵
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        100⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        101⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        102⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        103⤵
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        104⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        105⤵
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        106⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        107⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        108⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        109⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        110⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        111⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        112⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        113⤵
        
        PID:3296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        114⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        115⤵
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        116⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        117⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        118⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        119⤵
        
        PID:3940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        120⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        121⤵
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        122⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        123⤵
        
        PID:3184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        124⤵
        Drops file in Windows directory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        125⤵
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        126⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        127⤵
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        128⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        129⤵
        Drops file in Windows directory
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        130⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        131⤵
        
        PID:500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        132⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        133⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        134⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        135⤵
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        136⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        137⤵
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        138⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        139⤵
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        140⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        141⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        142⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        143⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        144⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        145⤵
        
        PID:3904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        146⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        147⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        148⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        149⤵
        
        PID:4812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        150⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        151⤵
        
        PID:1196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        152⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        153⤵
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        154⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        155⤵
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        156⤵
        Drops file in Windows directory
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        157⤵
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        158⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        159⤵
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        160⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        161⤵
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        162⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        163⤵
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        164⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        165⤵
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        166⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        167⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        168⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        169⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        170⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        171⤵
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        172⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        173⤵
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        174⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        175⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        176⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        177⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        178⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        179⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        180⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        181⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        182⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        183⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        184⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        185⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        186⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        187⤵
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        188⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        189⤵
        Modifies registry class
        
        PID:4132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        190⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        191⤵
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        192⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        193⤵
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        194⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        195⤵
        
        PID:4360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        196⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        197⤵
        
        PID:3252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        198⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        199⤵
        
        PID:4328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        200⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        201⤵
        
        PID:3880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        202⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        131⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        132⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        133⤵
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        134⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        135⤵
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        136⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        137⤵
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        138⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        139⤵
        Modifies registry class
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        140⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        141⤵
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        142⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        143⤵
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        144⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        145⤵
        Modifies registry class
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        146⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        147⤵
        Modifies registry class
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        148⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        149⤵
        Modifies registry class
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        150⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        151⤵
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        152⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        153⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        154⤵
        Drops file in Windows directory
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        155⤵
        
        PID:4584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        156⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        157⤵
        Modifies registry class
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        158⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        159⤵
        
        PID:3144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        160⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        161⤵
        Drops file in Windows directory
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        162⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        163⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        164⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        165⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        166⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        167⤵
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        168⤵
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        169⤵
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        170⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        171⤵
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        172⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        173⤵
        
        PID:1800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        174⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        175⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        176⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        177⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        178⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        179⤵
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        180⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        181⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        182⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        183⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        184⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        185⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        186⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        187⤵
        
        PID:3284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        188⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        189⤵
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        190⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        191⤵
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        192⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        193⤵
        
        PID:4248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        194⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        195⤵
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        196⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        197⤵
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        198⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        199⤵
        
        PID:3324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        200⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        201⤵
        Drops file in Windows directory
        
        PID:420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        202⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        203⤵
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        204⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        205⤵
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        206⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        207⤵
        
        PID:428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        208⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        209⤵
        
        PID:804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        210⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        211⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        212⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        213⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        214⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        215⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        216⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        217⤵
        
        PID:3904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        218⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        219⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        220⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        221⤵
        
        PID:4812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        222⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        223⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        224⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        225⤵
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        226⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        227⤵
        Drops file in Windows directory
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        228⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        229⤵
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        230⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        231⤵
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        232⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        233⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        234⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        235⤵
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        236⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        237⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        238⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        239⤵
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        240⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        241⤵
        Modifies registry class
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        242⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        243⤵
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        244⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        245⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        246⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        247⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        248⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        249⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        250⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        251⤵
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        252⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        253⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        254⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        255⤵
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        256⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        257⤵
        
        PID:4736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        258⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        259⤵
        Modifies registry class
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        260⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        261⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        262⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        263⤵
        Drops file in Windows directory
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        264⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        265⤵
        Modifies registry class
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        266⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        267⤵
        
        PID:3184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        268⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        269⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        270⤵
        Drops file in Windows directory
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        271⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        272⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        273⤵
        
        PID:3880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        274⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        275⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        276⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        277⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        278⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        279⤵
        
        PID:900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        280⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        281⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        282⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        283⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        284⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        285⤵
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        286⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        287⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        288⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        289⤵
        Modifies registry class
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        290⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        291⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        292⤵
        Drops file in Windows directory
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        293⤵
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        294⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        295⤵
        
        PID:1312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        296⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        297⤵
        
        PID:4936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        298⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        299⤵
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        300⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        301⤵
        Modifies registry class
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        302⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        303⤵
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        304⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        305⤵
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        306⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        307⤵
        
        PID:68
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        308⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        309⤵
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        310⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        311⤵
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        312⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        313⤵
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        314⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        315⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        316⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        317⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        318⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        319⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        320⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        321⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        322⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        323⤵
        Modifies registry class
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        324⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        325⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        326⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        327⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        328⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        329⤵
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        330⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        331⤵
        Drops file in Windows directory
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        332⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        333⤵
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        334⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        335⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        336⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        337⤵
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        338⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        339⤵
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        340⤵
        Drops file in Windows directory
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        341⤵
        
        PID:3184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        342⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        343⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        344⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        345⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        346⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        347⤵
        
        PID:3880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        348⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        349⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        350⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        351⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        352⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        353⤵
        
        PID:900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        354⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        355⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        356⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        357⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        358⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        359⤵
        Modifies registry class
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        360⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        361⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        362⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        363⤵
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        364⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        365⤵
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        366⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        367⤵
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        368⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        369⤵
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        370⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        371⤵
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        372⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        373⤵
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        374⤵
        Drops file in Windows directory
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        375⤵
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        376⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        377⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        378⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        379⤵
        Modifies registry class
        
        PID:5028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        380⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        381⤵
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        382⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        383⤵
        Modifies registry class
        
        PID:600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        384⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        385⤵
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        386⤵
        Drops file in Windows directory
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        387⤵
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        388⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        389⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        390⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        391⤵
        
        PID:1800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        392⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        393⤵
        
        PID:944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        394⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        395⤵
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        396⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        397⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        398⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        399⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        400⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        401⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        402⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        403⤵
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        404⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        405⤵
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        406⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        407⤵
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        408⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        409⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        410⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        411⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        412⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        413⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        414⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        415⤵
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        416⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        417⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        418⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        419⤵
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        420⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        421⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        422⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        423⤵
        
        PID:612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        424⤵
        Drops file in Windows directory
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        425⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        426⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        427⤵
        
        PID:1788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        428⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        429⤵
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        430⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        431⤵
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        432⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        433⤵
        
        PID:3288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        434⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        435⤵
        Drops file in Windows directory
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        436⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        437⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        438⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        439⤵
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        440⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        441⤵
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        442⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        443⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        444⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        445⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        446⤵
        Drops file in Windows directory
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        447⤵
        Drops file in Windows directory
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        448⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        449⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        450⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        451⤵
        
        PID:3144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        452⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        453⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        454⤵
        
        PID:68
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        455⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        456⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        457⤵
        
        PID:664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        458⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        459⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        460⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        461⤵
        Drops file in Windows directory
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        462⤵
        Drops file in Windows directory
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        463⤵
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        464⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        465⤵
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        466⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        467⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        468⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        469⤵
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        470⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        471⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        472⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        473⤵
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        474⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        475⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        476⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        477⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        478⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        479⤵
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        480⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        481⤵
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        482⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        483⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        484⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        485⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        486⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        487⤵
        
        PID:4276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        488⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        489⤵
        
        PID:344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        490⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        491⤵
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        492⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        493⤵
        Modifies registry class
        
        PID:4328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        494⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        495⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        496⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        497⤵
        Modifies registry class
        
        PID:500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        498⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        499⤵
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        500⤵
        Drops file in Windows directory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        501⤵
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        502⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        503⤵
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        504⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        505⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        506⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        507⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        508⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        509⤵
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        510⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        511⤵
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        512⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        513⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        514⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        515⤵
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        516⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        517⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        518⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        519⤵
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        520⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        521⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        522⤵
        Drops file in Windows directory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        523⤵
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        524⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        525⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        526⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        527⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        528⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        529⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        530⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        531⤵
        Drops file in Windows directory
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        532⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        533⤵
        
        PID:4532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        534⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        535⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        536⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        537⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        538⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        539⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        540⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        541⤵
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        542⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        543⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        544⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        545⤵
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        546⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        547⤵
        Modifies registry class
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        548⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        549⤵
        
        PID:3168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        550⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        551⤵
        
        PID:3284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        552⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        553⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        554⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        555⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        556⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        557⤵
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        558⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        559⤵
        Drops file in Windows directory
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        560⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        561⤵
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        562⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        563⤵
        Drops file in Windows directory
        
        PID:3112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        564⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        565⤵
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        566⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        567⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        568⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        569⤵
        
        PID:856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        570⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        571⤵
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        572⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        573⤵
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        574⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        575⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        576⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        577⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        578⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        579⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        580⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        581⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        582⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        583⤵
        Drops file in Windows directory
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        584⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        585⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        586⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        587⤵
        Drops file in Windows directory
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        588⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        589⤵
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        590⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        591⤵
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        592⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        593⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        594⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        595⤵
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        596⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        597⤵
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        598⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        599⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        600⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        601⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        602⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        603⤵
        Drops file in Windows directory
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        604⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        605⤵
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        606⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        607⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        608⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        609⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        610⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        611⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        612⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        613⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        614⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        615⤵
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        616⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        617⤵
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        618⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        619⤵
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        620⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        621⤵
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        622⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        623⤵
        
        PID:3272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        624⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        625⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        626⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        627⤵
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        628⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        629⤵
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        630⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        631⤵
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        632⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        633⤵
        
        PID:3940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        634⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        635⤵
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        636⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        637⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        638⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        639⤵
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        640⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        641⤵
        
        PID:580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        642⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        643⤵
        
        PID:856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        644⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        645⤵
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        646⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        647⤵
        Modifies registry class
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        648⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        649⤵
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        650⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        651⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        652⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        653⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        654⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        655⤵
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        656⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        657⤵
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        658⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        659⤵
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        660⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        661⤵
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        662⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        663⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        664⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        665⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        666⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        667⤵
        
        PID:3136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        668⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        669⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        670⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        671⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        672⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        673⤵
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        674⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        675⤵
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        676⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        677⤵
        
        PID:4612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        678⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        679⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        680⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        681⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        682⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        683⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        684⤵
        Drops file in Windows directory
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        685⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        686⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        687⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        688⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        689⤵
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        690⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        691⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        692⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        693⤵
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        694⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        695⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        696⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        697⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        698⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        699⤵
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        700⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        701⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        702⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        703⤵
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        704⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        705⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        706⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        707⤵
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        708⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        709⤵
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        710⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        711⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        712⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        713⤵
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        714⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        715⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        716⤵
        Drops file in Windows directory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        717⤵
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        718⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        719⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        720⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        721⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        722⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        723⤵
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        724⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        725⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        726⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        727⤵
        
        PID:804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        728⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        729⤵
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        730⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        731⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        732⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        733⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        734⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        735⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        736⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        737⤵
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        738⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        739⤵
        Drops file in Windows directory
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        740⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        741⤵
        Drops file in Windows directory
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        742⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        743⤵
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        744⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        745⤵
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        746⤵
        Drops file in Windows directory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        747⤵
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        748⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        749⤵
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        750⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        751⤵
        Drops file in Windows directory
        
        PID:952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        752⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        753⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        754⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        755⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        756⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        757⤵
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        758⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        759⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        760⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        761⤵
        Modifies registry class
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        762⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        763⤵
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        764⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        765⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        766⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        767⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        768⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        769⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        770⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        771⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        772⤵
        Drops file in Windows directory
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        773⤵
        
        PID:3916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        774⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        775⤵
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        776⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        777⤵
        Drops file in Windows directory
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        778⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        779⤵
        Modifies registry class
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        780⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        781⤵
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        782⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        783⤵
        Drops file in Windows directory
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        784⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        785⤵
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        786⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        787⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        788⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        789⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        790⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        791⤵
        
        PID:420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        792⤵
        Drops file in Windows directory
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        793⤵
        
        PID:3324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        794⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        795⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        796⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        797⤵
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        798⤵
        Drops file in Windows directory
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        799⤵
        
        PID:612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        800⤵
        Drops file in Windows directory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        801⤵
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        802⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        803⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        804⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        805⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        806⤵
        Drops file in Windows directory
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        807⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        808⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        809⤵
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        810⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        811⤵
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        812⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        813⤵
        Drops file in Windows directory
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        814⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        815⤵
        
        PID:4816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        816⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        817⤵
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        818⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        819⤵
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        820⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        821⤵
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        822⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        823⤵
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        824⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        825⤵
        Modifies registry class
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        826⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        827⤵
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        828⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        829⤵
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        830⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        831⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        832⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        833⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        834⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        835⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        836⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        837⤵
        
        PID:688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        838⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        839⤵
        Modifies registry class
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        840⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        841⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        842⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        843⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        844⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        845⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        846⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        847⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        848⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        849⤵
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        850⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        851⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        852⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        853⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
        854⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
        855⤵
        Modifies registry class
        
        PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys

MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit