neshta | af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8

Analysis

max time kernel
173s
max time network
171s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
Size

247KB
MD5

d19dd26e8431e2bf91a977e6cbda25ae
SHA1

5632744a3749814de3964a505091ab368ad1b20b
SHA256

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8
SHA512

1d9b09edb34c1c68024279ab3487b17cf67e2e395cd8a109ff3c1e2d23dadf96c163431019542e58755f294a2dae593b6fb3c7f1b88eca2007629e40dff8d358

Score

10^/10

neshta sodinokibi persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta Payload 35 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Executes dropped EXE 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exesvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.com

pid	process
4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
4220	svchost.com
4256	AF47F8~1.EXE
4212	svchost.com
4368	AF47F8~1.EXE
4388	svchost.com
4316	AF47F8~1.EXE
3280	svchost.com
3880	AF47F8~1.EXE
3704	svchost.com
3352	AF47F8~1.EXE
672	svchost.com
764	AF47F8~1.EXE
1068	svchost.com
1232	AF47F8~1.EXE
1448	svchost.com
1624	AF47F8~1.EXE
1876	svchost.com
2056	AF47F8~1.EXE
2340	svchost.com
2564	AF47F8~1.EXE
2660	svchost.com
2692	AF47F8~1.EXE
3964	svchost.com
3164	AF47F8~1.EXE
4816	svchost.com
1312	AF47F8~1.EXE
1892	svchost.com
2956	AF47F8~1.EXE
4900	svchost.com
4544	AF47F8~1.EXE
3932	svchost.com
3152	AF47F8~1.EXE
4880	svchost.com
5048	AF47F8~1.EXE
2604	svchost.com
5040	AF47F8~1.EXE
1088	svchost.com
600	AF47F8~1.EXE
732	svchost.com
2436	AF47F8~1.EXE
4988	svchost.com
356	AF47F8~1.EXE
688	svchost.com
1252	AF47F8~1.EXE
4508	svchost.com
4500	AF47F8~1.EXE
1420	svchost.com
2296	AF47F8~1.EXE
2260	svchost.com
1860	AF47F8~1.EXE
1948	svchost.com
2024	AF47F8~1.EXE
4440	svchost.com
2236	AF47F8~1.EXE
4164	svchost.com
2904	AF47F8~1.EXE
3004	svchost.com
4000	AF47F8~1.EXE
3916	svchost.com
3788	AF47F8~1.EXE
3920	svchost.com
3776	AF47F8~1.EXE
3124	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exeaf47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comsvchost.comsvchost.comAF47F8~1.EXEAF47F8~1.EXEsvchost.comAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEsvchost.comsvchost.comsvchost.comAF47F8~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	AF47F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AF47F8~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

AF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXEAF47F8~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	AF47F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exeaf47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exesvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXEsvchost.comAF47F8~1.EXE

description	pid	process	target process
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 496 wrote to memory of 4060	496	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4060 wrote to memory of 4220	4060	af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe	svchost.com
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4220 wrote to memory of 4256	4220	svchost.com	AF47F8~1.EXE
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4256 wrote to memory of 4212	4256	AF47F8~1.EXE	svchost.com
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4212 wrote to memory of 4368	4212	svchost.com	AF47F8~1.EXE
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4368 wrote to memory of 4388	4368	AF47F8~1.EXE	svchost.com
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4388 wrote to memory of 4316	4388	svchost.com	AF47F8~1.EXE
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 4316 wrote to memory of 3280	4316	AF47F8~1.EXE	svchost.com
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3280 wrote to memory of 3880	3280	svchost.com	AF47F8~1.EXE
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3880 wrote to memory of 3704	3880	AF47F8~1.EXE	svchost.com
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3704 wrote to memory of 3352	3704	svchost.com	AF47F8~1.EXE
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 3352 wrote to memory of 672	3352	AF47F8~1.EXE	svchost.com
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 672 wrote to memory of 764	672	svchost.com	AF47F8~1.EXE
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 764 wrote to memory of 1068	764	AF47F8~1.EXE	svchost.com
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1068 wrote to memory of 1232	1068	svchost.com	AF47F8~1.EXE
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1232 wrote to memory of 1448	1232	AF47F8~1.EXE	svchost.com
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1448 wrote to memory of 1624	1448	svchost.com	AF47F8~1.EXE
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1624 wrote to memory of 1876	1624	AF47F8~1.EXE	svchost.com
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 1876 wrote to memory of 2056	1876	svchost.com	AF47F8~1.EXE
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2056 wrote to memory of 2340	2056	AF47F8~1.EXE	svchost.com
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2340 wrote to memory of 2564	2340	svchost.com	AF47F8~1.EXE
PID 2564 wrote to memory of 2660	2564	AF47F8~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
"C:\Users\Admin\AppData\Local\Temp\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
23⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
24⤵
- Executes dropped EXE
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
25⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
2⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
3⤵
- Executes dropped EXE
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
4⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
5⤵
- Executes dropped EXE
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
6⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
7⤵
- Executes dropped EXE
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
8⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
9⤵
- Executes dropped EXE
PID:3152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
10⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
11⤵
- Executes dropped EXE
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
12⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
13⤵
- Executes dropped EXE
PID:5040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
14⤵
- Executes dropped EXE
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
15⤵
- Executes dropped EXE
PID:600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
16⤵
- Executes dropped EXE
PID:732

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
17⤵
- Executes dropped EXE
PID:2436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
18⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
19⤵
- Executes dropped EXE
PID:356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
20⤵
- Executes dropped EXE
PID:688

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
21⤵
- Executes dropped EXE
PID:1252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
22⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
23⤵
- Executes dropped EXE
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
24⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
25⤵
- Executes dropped EXE
PID:2296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
26⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
27⤵
- Executes dropped EXE
PID:1860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
28⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
29⤵
- Executes dropped EXE
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
30⤵
- Executes dropped EXE
PID:4440

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
31⤵
- Executes dropped EXE
- Modifies registry class
PID:2236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
32⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
33⤵
- Executes dropped EXE
PID:2904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
34⤵
- Executes dropped EXE
PID:3004

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
35⤵
- Executes dropped EXE
PID:4000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
36⤵
- Executes dropped EXE
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
37⤵
- Executes dropped EXE
PID:3788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
38⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
39⤵
- Executes dropped EXE
PID:3776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
40⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
41⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
42⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
43⤵
PID:344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
44⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
45⤵
PID:4228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
46⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
47⤵
PID:4336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
48⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
49⤵
PID:4396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
50⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
51⤵
PID:3264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
52⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
53⤵
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
54⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
55⤵
PID:584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
56⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
57⤵
PID:3704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
58⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
59⤵
PID:916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
60⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
61⤵
PID:1268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
62⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
63⤵
PID:412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
64⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
65⤵
PID:1500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
66⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
67⤵
PID:3288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
68⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
69⤵
PID:2676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
70⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
71⤵
PID:3744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
72⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
1⤵
PID:3968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
2⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
3⤵
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
4⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
5⤵
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
6⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
7⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
8⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
9⤵
PID:1528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
10⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
11⤵
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
12⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
13⤵
PID:3120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
14⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
15⤵
PID:2880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
16⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
17⤵
- Modifies registry class
PID:392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
18⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
19⤵
- Drops file in Windows directory
PID:2616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
20⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
21⤵
PID:4904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
22⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
23⤵
PID:1996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
24⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
25⤵
- Modifies registry class
PID:1240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
26⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
27⤵
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
28⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
29⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
30⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
31⤵
- Modifies registry class
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
32⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
33⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
34⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
35⤵
PID:2320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
36⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
37⤵
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
38⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
39⤵
PID:4736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
40⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
41⤵
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
42⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
43⤵
PID:3292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
44⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
45⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
46⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
47⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
48⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
49⤵
- Modifies registry class
PID:4340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
50⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
51⤵
PID:4312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
52⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
53⤵
PID:4388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
54⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
55⤵
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
56⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
57⤵
- Modifies registry class
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
58⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
59⤵
PID:428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
60⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
61⤵
PID:1428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
62⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
63⤵
PID:1512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
64⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
65⤵
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
66⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
67⤵
- Modifies registry class
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
68⤵
- Drops file in Windows directory
PID:2484

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
69⤵
PID:2608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
70⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
71⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
72⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
73⤵
PID:2052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
74⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
75⤵
- Modifies registry class
PID:3740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
76⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
77⤵
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
78⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
79⤵
PID:1168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
80⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
81⤵
PID:2308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
82⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
83⤵
PID:4840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
84⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
85⤵
- Modifies registry class
PID:3128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
86⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
87⤵
PID:5032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
88⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
89⤵
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
90⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
91⤵
PID:2600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
92⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
93⤵
PID:732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
94⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
95⤵
PID:2376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
96⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
97⤵
PID:364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
98⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
99⤵
PID:1252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
100⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
101⤵
PID:3012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
102⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
103⤵
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
104⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
105⤵
PID:2260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
106⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
107⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
108⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
109⤵
PID:2236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
110⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
111⤵
PID:5012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
112⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
113⤵
PID:3296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
114⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
115⤵
PID:4376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
116⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
117⤵
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
118⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
119⤵
PID:3940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
120⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
121⤵
PID:4224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
122⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
123⤵
PID:3184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
124⤵
- Drops file in Windows directory
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
125⤵
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
126⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
127⤵
PID:4448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
128⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
129⤵
- Drops file in Windows directory
PID:4424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
130⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
131⤵
PID:500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
132⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
133⤵
- Modifies registry class
PID:4436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
134⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
135⤵
PID:1212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
136⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
137⤵
PID:1424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
138⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
139⤵
PID:1268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
140⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
141⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
142⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
143⤵
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
144⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
145⤵
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
146⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
147⤵
- Modifies registry class
PID:2872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
148⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
149⤵
PID:4812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
150⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
151⤵
PID:1196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
152⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
153⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
154⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
155⤵
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
156⤵
- Drops file in Windows directory
PID:3148

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
157⤵
PID:4592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
158⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
159⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
160⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
161⤵
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
162⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
163⤵
PID:1180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
164⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
165⤵
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
166⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
167⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
168⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
169⤵
- Modifies registry class
PID:4912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
170⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
171⤵
PID:4520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
172⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
173⤵
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
174⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
175⤵
PID:2160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
176⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
177⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
178⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
179⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
180⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
181⤵
- Modifies registry class
PID:4976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
182⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
183⤵
- Modifies registry class
PID:3628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
184⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
185⤵
- Modifies registry class
PID:4736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
186⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
187⤵
PID:4376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
188⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
189⤵
- Modifies registry class
PID:4132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
190⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
191⤵
PID:372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
192⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
193⤵
PID:5100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
194⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
195⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
196⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
197⤵
PID:3252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
198⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
199⤵
PID:4328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
200⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
201⤵
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
202⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
131⤵
PID:512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
132⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
133⤵
PID:3092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
134⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
135⤵
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
136⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
137⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
138⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
139⤵
- Modifies registry class
PID:1232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
140⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
141⤵
PID:2808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
142⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
143⤵
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
144⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
145⤵
- Modifies registry class
PID:3060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
146⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
147⤵
- Modifies registry class
PID:1336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
148⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
149⤵
- Modifies registry class
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
150⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
151⤵
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
152⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
153⤵
PID:4560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
154⤵
- Drops file in Windows directory
PID:4840

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
155⤵
PID:4584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
156⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
157⤵
- Modifies registry class
PID:4620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
158⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
159⤵
PID:3144

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
160⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
161⤵
- Drops file in Windows directory
PID:392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
162⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
163⤵
PID:5060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
164⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
165⤵
PID:1184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
166⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
167⤵
PID:2436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
168⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
169⤵
PID:4528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
170⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
171⤵
PID:1332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
172⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
173⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
174⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
175⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
176⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
177⤵
PID:2368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
178⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
179⤵
PID:4440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
180⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
181⤵
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
182⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
183⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
184⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
185⤵
PID:2840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
186⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
187⤵
PID:3284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
188⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
189⤵
PID:3768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
190⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
191⤵
PID:3292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
192⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
193⤵
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
194⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
195⤵
PID:4348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
196⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
197⤵
PID:4368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
198⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
199⤵
PID:3324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
200⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
201⤵
- Drops file in Windows directory
PID:420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
202⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
203⤵
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
204⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
205⤵
PID:740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
206⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
207⤵
PID:428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
208⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
209⤵
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
210⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
211⤵
PID:1244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
212⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
213⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
214⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
215⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
216⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
217⤵
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
218⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
219⤵
PID:2680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
220⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
221⤵
PID:4812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
222⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
223⤵
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
224⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
225⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
226⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
227⤵
- Drops file in Windows directory
PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
228⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
229⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
230⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
231⤵
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
232⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
233⤵
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
234⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
235⤵
PID:700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
236⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
237⤵
PID:2616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
238⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
239⤵
PID:3328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
240⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
241⤵
- Modifies registry class
PID:1300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
242⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
243⤵
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
244⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
245⤵
PID:2076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
246⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
247⤵
PID:3020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
248⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
249⤵
PID:2256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
250⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
251⤵
PID:3336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
252⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
253⤵
PID:4684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
254⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
255⤵
PID:3628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
256⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
257⤵
PID:4736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
258⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
259⤵
- Modifies registry class
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
260⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
261⤵
PID:3936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
262⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
263⤵
- Drops file in Windows directory
PID:1668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
264⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
265⤵
- Modifies registry class
PID:3228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
266⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
267⤵
PID:3184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
268⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
269⤵
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
270⤵
- Drops file in Windows directory
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
271⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
272⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
273⤵
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
274⤵
PID:420

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
275⤵
PID:512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
276⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
277⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
278⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
279⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
280⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
281⤵
PID:672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
282⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
283⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
284⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
285⤵
PID:1232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
286⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
287⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
288⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
289⤵
- Modifies registry class
PID:3080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
290⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
291⤵
PID:2660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
292⤵
- Drops file in Windows directory
PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
293⤵
PID:3740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
294⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
295⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
296⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
297⤵
PID:4936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
298⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
299⤵
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
300⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
301⤵
- Modifies registry class
PID:772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
302⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
303⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
304⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
305⤵
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
306⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
307⤵
PID:68

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
308⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
309⤵
PID:700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
310⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
311⤵
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
312⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
313⤵
PID:3328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
314⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
315⤵
PID:1300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
316⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
317⤵
PID:4496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
318⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
319⤵
PID:1804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
320⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
321⤵
PID:2372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
322⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
323⤵
- Modifies registry class
PID:2256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
324⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
325⤵
- Modifies registry class
PID:3140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
326⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
327⤵
PID:4684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
328⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
329⤵
PID:3628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
330⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
331⤵
- Drops file in Windows directory
PID:3752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
332⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
333⤵
PID:4104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
334⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
335⤵
PID:3936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
336⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
337⤵
PID:3768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
338⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
339⤵
PID:3228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
340⤵
- Drops file in Windows directory
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
341⤵
PID:3184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
342⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
343⤵
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
344⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
345⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
346⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
347⤵
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
348⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
349⤵
PID:512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
350⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
351⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
352⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
353⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
354⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
355⤵
PID:672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
356⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
357⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
358⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
359⤵
- Modifies registry class
PID:1232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
360⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
361⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
362⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
363⤵
PID:3080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
364⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
365⤵
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
366⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
367⤵
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
368⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
369⤵
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
370⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
371⤵
PID:4900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
372⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
373⤵
PID:4564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
374⤵
- Drops file in Windows directory
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
375⤵
PID:3152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
376⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
377⤵
PID:5056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
378⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
379⤵
- Modifies registry class
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
380⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
381⤵
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
382⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
383⤵
- Modifies registry class
PID:600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
384⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
385⤵
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
386⤵
- Drops file in Windows directory
PID:4516

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
387⤵
PID:4508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
388⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
389⤵
- Drops file in Windows directory
- Modifies registry class
PID:1332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
390⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
391⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
392⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
393⤵
PID:944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
394⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
395⤵
PID:4488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
396⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
397⤵
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
398⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
399⤵
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
400⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
401⤵
PID:5012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
402⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
403⤵
PID:3712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
404⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
405⤵
PID:3776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
406⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
407⤵
PID:4040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
408⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
409⤵
PID:2176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
410⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
411⤵
- Modifies registry class
PID:4252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
412⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
413⤵
- Modifies registry class
PID:4420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
414⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
415⤵
PID:4324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
416⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
417⤵
PID:2000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
418⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
419⤵
PID:3996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
420⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
421⤵
PID:2480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
422⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
423⤵
PID:612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
424⤵
- Drops file in Windows directory
PID:3192

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
425⤵
PID:1228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
426⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
427⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
428⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
429⤵
PID:3256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
430⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
431⤵
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
432⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
433⤵
PID:3288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
434⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
435⤵
- Drops file in Windows directory
PID:2900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
436⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
437⤵
PID:2592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
438⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
439⤵
PID:4824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
440⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
441⤵
PID:3588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
442⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
443⤵
- Modifies registry class
PID:4572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
444⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
445⤵
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
446⤵
- Drops file in Windows directory
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
447⤵
- Drops file in Windows directory
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
448⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
449⤵
PID:4620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
450⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
451⤵
PID:3144

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
452⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
453⤵
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
454⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
455⤵
PID:5040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
456⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
457⤵
PID:664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
458⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
459⤵
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
460⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
461⤵
- Drops file in Windows directory
PID:4528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
462⤵
- Drops file in Windows directory
PID:356

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
463⤵
PID:1152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
464⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
465⤵
PID:4520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
466⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
467⤵
PID:3020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
468⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
469⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
470⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
471⤵
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
472⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
473⤵
PID:4952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
474⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
475⤵
PID:3064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
476⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
477⤵
PID:3476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
478⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
479⤵
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
480⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
481⤵
PID:3952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
482⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
483⤵
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
484⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
485⤵
- Modifies registry class
PID:4336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
486⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
487⤵
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
488⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
489⤵
PID:344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
490⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
491⤵
PID:3096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
492⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
493⤵
- Modifies registry class
PID:4328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
494⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
495⤵
PID:3320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
496⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
497⤵
- Modifies registry class
PID:500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
498⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
499⤵
PID:584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
500⤵
- Drops file in Windows directory
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
501⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
502⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
503⤵
PID:1444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
504⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
505⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
506⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
507⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
508⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
509⤵
PID:4796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
510⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
511⤵
PID:2624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
512⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
513⤵
PID:4028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
514⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
515⤵
PID:3164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
516⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
517⤵
PID:1528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
518⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
519⤵
PID:4900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
520⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
521⤵
PID:1536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
522⤵
- Drops file in Windows directory
PID:5032

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
523⤵
PID:3152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
524⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
525⤵
PID:2548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
526⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
527⤵
PID:4764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
528⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
529⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
530⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
531⤵
- Drops file in Windows directory
PID:4912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
532⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
533⤵
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
534⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
535⤵
PID:1300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
536⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
537⤵
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
538⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
539⤵
PID:1804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
540⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
541⤵
PID:1860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
542⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
543⤵
- Modifies registry class
PID:2372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
544⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
545⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
546⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
547⤵
- Modifies registry class
PID:4000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
548⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
549⤵
PID:3168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
550⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
551⤵
PID:3284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
552⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
553⤵
- Drops file in Windows directory
- Modifies registry class
PID:4240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
554⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
555⤵
- Modifies registry class
PID:4036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
556⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
557⤵
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
558⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
559⤵
- Drops file in Windows directory
PID:5100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
560⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
561⤵
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
562⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
563⤵
- Drops file in Windows directory
PID:3112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
564⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
565⤵
PID:4220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
566⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
567⤵
PID:2852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
568⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
569⤵
PID:856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
570⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
571⤵
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
572⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
573⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
574⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
575⤵
PID:1244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
576⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
577⤵
PID:916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
578⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
579⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
580⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
581⤵
PID:4076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
582⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
583⤵
- Drops file in Windows directory
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
584⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
585⤵
PID:3060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
586⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
587⤵
- Drops file in Windows directory
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
588⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
589⤵
- Drops file in Windows directory
PID:4548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
590⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
591⤵
PID:4580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
592⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
593⤵
PID:4880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
594⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
595⤵
PID:3120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
596⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
597⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
598⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
599⤵
PID:5056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
600⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
601⤵
PID:4660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
602⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
603⤵
- Drops file in Windows directory
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
604⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
605⤵
PID:1136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
606⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
607⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
608⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
609⤵
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
610⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
611⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
612⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
613⤵
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
614⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
615⤵
PID:2100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
616⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
617⤵
PID:4808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
618⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
619⤵
PID:3336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
620⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
621⤵
PID:968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
622⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
623⤵
PID:3272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
624⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
625⤵
- Modifies registry class
PID:3284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
626⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
627⤵
PID:4240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
628⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
629⤵
PID:1020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
630⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
631⤵
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
632⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
633⤵
PID:3940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
634⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
635⤵
PID:4212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
636⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
637⤵
PID:4296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
638⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
639⤵
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
640⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
641⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
642⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
643⤵
PID:856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
644⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
645⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
646⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
647⤵
- Modifies registry class
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
648⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
649⤵
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
650⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
651⤵
PID:916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
652⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
653⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
654⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
655⤵
PID:4080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
656⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
657⤵
PID:2632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
658⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
659⤵
PID:2504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
660⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
661⤵
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
662⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
663⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
664⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
665⤵
- Modifies registry class
PID:4968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
666⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
667⤵
PID:3136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
668⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
669⤵
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
670⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
671⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
672⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
673⤵
PID:596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
674⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
675⤵
PID:4664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
676⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
677⤵
PID:4612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
678⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
679⤵
- Drops file in Windows directory
- Modifies registry class
PID:3328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
680⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
681⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
682⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
683⤵
PID:3012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
684⤵
- Drops file in Windows directory
PID:4512

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
685⤵
PID:3028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
686⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
687⤵
PID:2292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
688⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
689⤵
PID:4440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
690⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
691⤵
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
692⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
693⤵
PID:4952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
694⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
695⤵
PID:3064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
696⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
697⤵
PID:4632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
698⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
699⤵
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
700⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
701⤵
PID:3476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
702⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
703⤵
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
704⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
705⤵
PID:2176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
706⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
707⤵
PID:4312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
708⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
709⤵
PID:3768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
710⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
711⤵
- Modifies registry class
PID:4384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
712⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
713⤵
PID:3220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
714⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
715⤵
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
716⤵
- Drops file in Windows directory
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
717⤵
PID:3996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
718⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
719⤵
PID:3704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
720⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
721⤵
PID:1228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
722⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
723⤵
PID:1212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
724⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
725⤵
PID:1244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
726⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
727⤵
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
728⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
729⤵
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
730⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
731⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
732⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
733⤵
PID:2676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
734⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
735⤵
- Drops file in Windows directory
PID:1336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
736⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
737⤵
PID:4916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
738⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
739⤵
- Drops file in Windows directory
PID:2308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
740⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
741⤵
- Drops file in Windows directory
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
742⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
743⤵
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
744⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
745⤵
PID:5064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
746⤵
- Drops file in Windows directory
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
747⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
748⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
749⤵
PID:3824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
750⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
751⤵
- Drops file in Windows directory
PID:952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
752⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
753⤵
PID:2324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
754⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
755⤵
PID:2376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
756⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
757⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
758⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
759⤵
PID:2452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
760⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
761⤵
- Modifies registry class
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
762⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
763⤵
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
764⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
765⤵
PID:2196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
766⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
767⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
768⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
769⤵
PID:4164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
770⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
771⤵
PID:2256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
772⤵
- Drops file in Windows directory
PID:3772

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
773⤵
PID:3916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
774⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
775⤵
PID:4604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
776⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
777⤵
- Drops file in Windows directory
PID:5012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
778⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
779⤵
- Modifies registry class
PID:2212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
780⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
781⤵
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
782⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
783⤵
- Drops file in Windows directory
PID:4104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
784⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
785⤵
PID:3788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
786⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
787⤵
PID:2992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
788⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
789⤵
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
790⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
791⤵
PID:420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
792⤵
- Drops file in Windows directory
PID:4084

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
793⤵
PID:3324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
794⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
795⤵
- Modifies registry class
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
796⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
797⤵
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
798⤵
- Drops file in Windows directory
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
799⤵
PID:612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
800⤵
- Drops file in Windows directory
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
801⤵
PID:640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
802⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
803⤵
PID:2484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
804⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
805⤵
PID:2460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
806⤵
- Drops file in Windows directory
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
807⤵
PID:2156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
808⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
809⤵
PID:2364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
810⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
811⤵
PID:3884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
812⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
813⤵
- Drops file in Windows directory
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
814⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
815⤵
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
816⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
817⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
818⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
819⤵
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
820⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
821⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
822⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
823⤵
PID:772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
824⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
825⤵
- Modifies registry class
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
826⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
827⤵
PID:5008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
828⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
829⤵
PID:4664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
830⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
831⤵
PID:2616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
832⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
833⤵
PID:1240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
834⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
835⤵
PID:1872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
836⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
837⤵
PID:688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
838⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
839⤵
- Modifies registry class
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
840⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
841⤵
PID:1968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
842⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
843⤵
PID:2400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
844⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
845⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
846⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
847⤵
PID:2972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
848⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
849⤵
PID:4380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
850⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
851⤵
- Modifies registry class
PID:4976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
852⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
853⤵
PID:4092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE"
854⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
855⤵
- Modifies registry class
PID:372

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AF47F8~1.EXE
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af47f867ba8d67380321101fe6fb6a4bb087e8bd22ad3bf8989c5dee667740a8.exe
MD5
aa7f122412d4914c4554b7091d3abd03

SHA1
95447dae22f5019d9f898ad430a991fe1f29645e

SHA256
19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

SHA512
713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\directx.sys
MD5
63526a09285da165d513e178d24df3e1

SHA1
c4736e731454d2903c4b9f68f7ef6e4fd5abb17c

SHA256
c180d7a0bdb5211c0b2a9ec0d285040893c156a0744d7190cb014113089a4def

SHA512
6e036984a10237bccf704458c14fc6d89e7b3dc587a5b440ab4017c113afd5732a834da5f86f3e99df430483cfe4b287c0e239e93ccc787274d5cde4df9b6c17

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads