neshta | d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4

Analysis

max time kernel
174s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
Size

350KB
MD5

61c2f591e42c5fefb70fab8fecdf6470
SHA1

fe6a5aaf3dc520190b5329528bc3adb44ee3a222
SHA256

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4
SHA512

70e166a3a7a0101a847ec144962556488a798fef6d4dee5293ab19755455a954ab1018111187608629a8bae479323578a9fdaa8926ba310e6118e8b4a2165c40
SSDEEP

6144:PuggR1hv6aDqw42XoiEEvXQdM+m9BmKR644u:AbhWw42YiEGQ+QKF

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exesvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.com

pid	process
4816	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
5036	svchost.com
4696	D467F5~1.EXE
5048	svchost.com
3928	D467F5~1.EXE
1336	svchost.com
3588	D467F5~1.EXE
4616	svchost.com
4300	D467F5~1.EXE
1188	svchost.com
1248	D467F5~1.EXE
3144	svchost.com
4248	D467F5~1.EXE
2592	svchost.com
5076	D467F5~1.EXE
3764	svchost.com
3404	D467F5~1.EXE
3912	svchost.com
2608	D467F5~1.EXE
4176	svchost.com
3244	D467F5~1.EXE
2916	svchost.com
1744	D467F5~1.EXE
3552	svchost.com
4540	D467F5~1.EXE
1340	svchost.com
1012	D467F5~1.EXE
820	svchost.com
2156	D467F5~1.EXE
2432	svchost.com
4296	D467F5~1.EXE
4936	svchost.com
1656	D467F5~1.EXE
1524	svchost.com
1696	D467F5~1.EXE
4124	svchost.com
4536	D467F5~1.EXE
400	svchost.com
4164	D467F5~1.EXE
4344	svchost.com
2256	D467F5~1.EXE
1844	svchost.com
2368	D467F5~1.EXE
4896	svchost.com
4688	D467F5~1.EXE
4736	svchost.com
1356	D467F5~1.EXE
1320	svchost.com
2232	D467F5~1.EXE
624	svchost.com
2092	D467F5~1.EXE
4444	svchost.com
2016	D467F5~1.EXE
880	svchost.com
112	D467F5~1.EXE
1260	svchost.com
1836	D467F5~1.EXE
1828	svchost.com
776	D467F5~1.EXE
4248	svchost.com
2408	D467F5~1.EXE
5068	svchost.com
2592	D467F5~1.EXE
2932	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D467F5~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exed467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Drops file in Windows directory 64 IoCs

Processes:

D467F5~1.EXEsvchost.comsvchost.comsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comsvchost.comD467F5~1.EXED467F5~1.EXED467F5~1.EXEsvchost.comsvchost.comD467F5~1.EXEsvchost.comsvchost.comD467F5~1.EXEsvchost.comsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comsvchost.comD467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comD467F5~1.EXED467F5~1.EXED467F5~1.EXEsvchost.comsvchost.comsvchost.comD467F5~1.EXED467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXED467F5~1.EXEsvchost.comsvchost.comsvchost.comD467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXEsvchost.comD467F5~1.EXED467F5~1.EXEsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	D467F5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

D467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXEd467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exeD467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXED467F5~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	D467F5~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exed467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exesvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXEsvchost.comD467F5~1.EXE

description	pid	process	target process
PID 4904 wrote to memory of 4816	4904	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
PID 4904 wrote to memory of 4816	4904	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
PID 4904 wrote to memory of 4816	4904	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
PID 4816 wrote to memory of 5036	4816	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	svchost.com
PID 4816 wrote to memory of 5036	4816	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	svchost.com
PID 4816 wrote to memory of 5036	4816	d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe	svchost.com
PID 5036 wrote to memory of 4696	5036	svchost.com	D467F5~1.EXE
PID 5036 wrote to memory of 4696	5036	svchost.com	D467F5~1.EXE
PID 5036 wrote to memory of 4696	5036	svchost.com	D467F5~1.EXE
PID 4696 wrote to memory of 5048	4696	D467F5~1.EXE	svchost.com
PID 4696 wrote to memory of 5048	4696	D467F5~1.EXE	svchost.com
PID 4696 wrote to memory of 5048	4696	D467F5~1.EXE	svchost.com
PID 5048 wrote to memory of 3928	5048	svchost.com	D467F5~1.EXE
PID 5048 wrote to memory of 3928	5048	svchost.com	D467F5~1.EXE
PID 5048 wrote to memory of 3928	5048	svchost.com	D467F5~1.EXE
PID 3928 wrote to memory of 1336	3928	D467F5~1.EXE	svchost.com
PID 3928 wrote to memory of 1336	3928	D467F5~1.EXE	svchost.com
PID 3928 wrote to memory of 1336	3928	D467F5~1.EXE	svchost.com
PID 1336 wrote to memory of 3588	1336	svchost.com	D467F5~1.EXE
PID 1336 wrote to memory of 3588	1336	svchost.com	D467F5~1.EXE
PID 1336 wrote to memory of 3588	1336	svchost.com	D467F5~1.EXE
PID 3588 wrote to memory of 4616	3588	D467F5~1.EXE	svchost.com
PID 3588 wrote to memory of 4616	3588	D467F5~1.EXE	svchost.com
PID 3588 wrote to memory of 4616	3588	D467F5~1.EXE	svchost.com
PID 4616 wrote to memory of 4300	4616	svchost.com	D467F5~1.EXE
PID 4616 wrote to memory of 4300	4616	svchost.com	D467F5~1.EXE
PID 4616 wrote to memory of 4300	4616	svchost.com	D467F5~1.EXE
PID 4300 wrote to memory of 1188	4300	D467F5~1.EXE	svchost.com
PID 4300 wrote to memory of 1188	4300	D467F5~1.EXE	svchost.com
PID 4300 wrote to memory of 1188	4300	D467F5~1.EXE	svchost.com
PID 1188 wrote to memory of 1248	1188	svchost.com	D467F5~1.EXE
PID 1188 wrote to memory of 1248	1188	svchost.com	D467F5~1.EXE
PID 1188 wrote to memory of 1248	1188	svchost.com	D467F5~1.EXE
PID 1248 wrote to memory of 3144	1248	D467F5~1.EXE	svchost.com
PID 1248 wrote to memory of 3144	1248	D467F5~1.EXE	svchost.com
PID 1248 wrote to memory of 3144	1248	D467F5~1.EXE	svchost.com
PID 3144 wrote to memory of 4248	3144	svchost.com	D467F5~1.EXE
PID 3144 wrote to memory of 4248	3144	svchost.com	D467F5~1.EXE
PID 3144 wrote to memory of 4248	3144	svchost.com	D467F5~1.EXE
PID 4248 wrote to memory of 2592	4248	D467F5~1.EXE	svchost.com
PID 4248 wrote to memory of 2592	4248	D467F5~1.EXE	svchost.com
PID 4248 wrote to memory of 2592	4248	D467F5~1.EXE	svchost.com
PID 2592 wrote to memory of 5076	2592	svchost.com	D467F5~1.EXE
PID 2592 wrote to memory of 5076	2592	svchost.com	D467F5~1.EXE
PID 2592 wrote to memory of 5076	2592	svchost.com	D467F5~1.EXE
PID 5076 wrote to memory of 3764	5076	D467F5~1.EXE	svchost.com
PID 5076 wrote to memory of 3764	5076	D467F5~1.EXE	svchost.com
PID 5076 wrote to memory of 3764	5076	D467F5~1.EXE	svchost.com
PID 3764 wrote to memory of 3404	3764	svchost.com	D467F5~1.EXE
PID 3764 wrote to memory of 3404	3764	svchost.com	D467F5~1.EXE
PID 3764 wrote to memory of 3404	3764	svchost.com	D467F5~1.EXE
PID 3404 wrote to memory of 3912	3404	D467F5~1.EXE	svchost.com
PID 3404 wrote to memory of 3912	3404	D467F5~1.EXE	svchost.com
PID 3404 wrote to memory of 3912	3404	D467F5~1.EXE	svchost.com
PID 3912 wrote to memory of 2608	3912	svchost.com	D467F5~1.EXE
PID 3912 wrote to memory of 2608	3912	svchost.com	D467F5~1.EXE
PID 3912 wrote to memory of 2608	3912	svchost.com	D467F5~1.EXE
PID 2608 wrote to memory of 4176	2608	D467F5~1.EXE	svchost.com
PID 2608 wrote to memory of 4176	2608	D467F5~1.EXE	svchost.com
PID 2608 wrote to memory of 4176	2608	D467F5~1.EXE	svchost.com
PID 4176 wrote to memory of 3244	4176	svchost.com	D467F5~1.EXE
PID 4176 wrote to memory of 3244	4176	svchost.com	D467F5~1.EXE
PID 4176 wrote to memory of 3244	4176	svchost.com	D467F5~1.EXE
PID 3244 wrote to memory of 2916	3244	D467F5~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
"C:\Users\Admin\AppData\Local\Temp\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        30⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        48⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        56⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        66⤵
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        67⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        68⤵
        Checks computer location settings
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        69⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        70⤵
        Checks computer location settings
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        71⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        72⤵
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        73⤵
        Drops file in Windows directory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        74⤵
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        75⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        76⤵
        Checks computer location settings
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        77⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        78⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        79⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        80⤵
        Checks computer location settings
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        81⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        82⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        83⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        84⤵
        
        PID:3100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        85⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        86⤵
        Modifies registry class
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        87⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        88⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        89⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        90⤵
        Drops file in Windows directory
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        91⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        92⤵
        
        PID:3264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        93⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        94⤵
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        95⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        96⤵
        Checks computer location settings
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        97⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        98⤵
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        99⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        100⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        101⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        102⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        103⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        104⤵
        
        PID:612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        105⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        106⤵
        Modifies registry class
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        107⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        108⤵
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        109⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        110⤵
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        111⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        113⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        114⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        115⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        116⤵
        Checks computer location settings
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        117⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        118⤵
        
        PID:3144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        119⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        120⤵
        Drops file in Windows directory
        
        PID:784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        121⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        122⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        123⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        124⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        125⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        126⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        127⤵
        Drops file in Windows directory
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        128⤵
        
        PID:3912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        129⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        130⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        131⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        132⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        133⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        134⤵
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        135⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        136⤵
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        137⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        138⤵
        Drops file in Windows directory
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        140⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        141⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        142⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        143⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        144⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        145⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        146⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        148⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        149⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        150⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        151⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        152⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        154⤵
        Drops file in Windows directory
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        155⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        156⤵
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        157⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        158⤵
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        160⤵
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        161⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        162⤵
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        163⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        164⤵
        
        PID:3528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        165⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        166⤵
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        167⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        168⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        169⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        170⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        171⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        172⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        173⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        174⤵
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        175⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        176⤵
        Checks computer location settings
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        177⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        178⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        180⤵
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        181⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        182⤵
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        184⤵
        
        PID:696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        185⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        186⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        187⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        188⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        189⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        190⤵
        
        PID:1788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        191⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        192⤵
        Checks computer location settings
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        193⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        194⤵
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        195⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        196⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        197⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        198⤵
        
        PID:312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        199⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        200⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        201⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        202⤵
        Checks computer location settings
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        203⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        204⤵
        
        PID:648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        206⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        207⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        208⤵
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        209⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        210⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        211⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        212⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        213⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        214⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        215⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        216⤵
        
        PID:4524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        217⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        219⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        220⤵
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        221⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        222⤵
        Modifies registry class
        
        PID:4732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        223⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        224⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        225⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        226⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        227⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        228⤵
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        229⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        230⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        231⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        232⤵
        
        PID:1188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        233⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        234⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        235⤵
        Drops file in Windows directory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        236⤵
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        238⤵
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        239⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        240⤵
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        241⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        242⤵
        
        PID:664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        243⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        244⤵
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        245⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        246⤵
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        247⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        248⤵
        Checks computer location settings
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        249⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        250⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        251⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        252⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        253⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        254⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        255⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        256⤵
        
        PID:1788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        257⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        258⤵
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        260⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        261⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        262⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        263⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        264⤵
        Modifies registry class
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        265⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        267⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        268⤵
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        269⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        270⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        271⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        272⤵
        
        PID:4936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        273⤵
        Drops file in Windows directory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        274⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        275⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        276⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        277⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        278⤵
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        279⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        280⤵
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        281⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        282⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        283⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        284⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        285⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        286⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        287⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        288⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        289⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        290⤵
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        291⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        292⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        293⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        294⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        295⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        296⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        297⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        298⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        299⤵
        Drops file in Windows directory
        
        PID:260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        300⤵
        
        PID:3872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        301⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        302⤵
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        303⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        304⤵
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        305⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        306⤵
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        307⤵
        Drops file in Windows directory
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        308⤵
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        309⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        310⤵
        
        PID:4556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        311⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        312⤵
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        313⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        314⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        315⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        316⤵
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        317⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        318⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        319⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:3656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        321⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        322⤵
        Checks computer location settings
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        323⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        324⤵
        
        PID:1788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        325⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        326⤵
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        327⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        328⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        329⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        330⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        331⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        332⤵
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        333⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        334⤵
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        335⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        336⤵
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        337⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        338⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        339⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        340⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        341⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        342⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        343⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        344⤵
        
        PID:4200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        345⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        346⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        347⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        348⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        349⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        350⤵
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        351⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        352⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        353⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        354⤵
        Modifies registry class
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        355⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        356⤵
        
        PID:612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        357⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        358⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        359⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        360⤵
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        361⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        362⤵
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        363⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        364⤵
        Modifies registry class
        
        PID:972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        365⤵
        Drops file in Windows directory
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        366⤵
        Modifies registry class
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        367⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        368⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        369⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        370⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        371⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        372⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        373⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        374⤵
        
        PID:1216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        375⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        376⤵
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        377⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        378⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        379⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        380⤵
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        381⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        382⤵
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        383⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        384⤵
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        385⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        386⤵
        
        PID:4152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        387⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        388⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        389⤵
        Drops file in Windows directory
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        390⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        391⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        392⤵
        
        PID:816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        393⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        394⤵
        
        PID:4416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        395⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        396⤵
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        397⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        398⤵
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        399⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        400⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        401⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        402⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        403⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        404⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        405⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        406⤵
        
        PID:1056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        407⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        408⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        409⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        410⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        411⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        412⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        413⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        414⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        415⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        416⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        417⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        418⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        419⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        420⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        421⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        422⤵
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        423⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        424⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        425⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        426⤵
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        427⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        428⤵
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        429⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        430⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        431⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        432⤵
        
        PID:972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        433⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        434⤵
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        435⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        436⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        437⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        438⤵
        Checks computer location settings
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        439⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        440⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        441⤵
        Drops file in Windows directory
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        442⤵
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        443⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        444⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        445⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        446⤵
        Checks computer location settings
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        447⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        448⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        449⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        450⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        451⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        452⤵
        
        PID:4748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        453⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        454⤵
        Checks computer location settings
        
        PID:3916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        455⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        456⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        457⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        458⤵
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        459⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        460⤵
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        461⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        462⤵
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        463⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        464⤵
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        465⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        466⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        467⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        468⤵
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        469⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        470⤵
        
        PID:648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        471⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        472⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        473⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        474⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        475⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        476⤵
        
        PID:3856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        477⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        478⤵
        
        PID:4272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        479⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        480⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        481⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        482⤵
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        483⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        484⤵
        
        PID:5048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        485⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        486⤵
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        487⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        488⤵
        
        PID:560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        489⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        490⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        491⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        492⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        493⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        494⤵
        Checks computer location settings
        
        PID:944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        495⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        496⤵
        Checks computer location settings
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        497⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        498⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        499⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        500⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        501⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        502⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        503⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        504⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        505⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        506⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        507⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        508⤵
        Modifies registry class
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        509⤵
        Drops file in Windows directory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        510⤵
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        511⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        512⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        513⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        514⤵
        Checks computer location settings
        
        PID:3912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        515⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        516⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        517⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        518⤵
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        519⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        520⤵
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        521⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        522⤵
        Drops file in Windows directory
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        523⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        524⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        525⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        526⤵
        Drops file in Windows directory
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        527⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        528⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        529⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        530⤵
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        531⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        532⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        533⤵
        Drops file in Windows directory
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        534⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        535⤵
        Drops file in Windows directory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        536⤵
        Drops file in Windows directory
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        537⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        538⤵
        Drops file in Windows directory
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        539⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        540⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        541⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        542⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        543⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        544⤵
        Drops file in Windows directory
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        545⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        546⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        547⤵
        Drops file in Windows directory
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        548⤵
        
        PID:1448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        549⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        550⤵
        Checks computer location settings
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        551⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        552⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        553⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        554⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        555⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        556⤵
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        557⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        558⤵
        
        PID:944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        559⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        560⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        561⤵
        Drops file in Windows directory
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        562⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        563⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        564⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        565⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        566⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        567⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        568⤵
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        569⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        570⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        571⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        572⤵
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        573⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        574⤵
        Checks computer location settings
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        575⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        576⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        577⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        578⤵
        Checks computer location settings
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        579⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        580⤵
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        581⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        582⤵
        Checks computer location settings
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        583⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        584⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        585⤵
        Drops file in Windows directory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        586⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        587⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        588⤵
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        589⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        590⤵
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        591⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        592⤵
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        593⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        594⤵
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        595⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        596⤵
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        597⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        598⤵
        Modifies registry class
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        599⤵
        Drops file in Windows directory
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        600⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        601⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        602⤵
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        603⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        604⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        605⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        606⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        607⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        608⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        609⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        610⤵
        
        PID:444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        611⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        612⤵
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        613⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        614⤵
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        615⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        616⤵
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        617⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        618⤵
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        619⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        620⤵
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        621⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        622⤵
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        623⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        624⤵
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        625⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        626⤵
        Drops file in Windows directory
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        627⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        628⤵
        Drops file in Windows directory
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        629⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        630⤵
        Checks computer location settings
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        631⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        632⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        633⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        634⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        635⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        636⤵
        Modifies registry class
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        637⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        638⤵
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        639⤵
        Drops file in Windows directory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        640⤵
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        641⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        642⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        643⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        644⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        645⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        646⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        647⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        648⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        649⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        650⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        651⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        652⤵
        Checks computer location settings
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        653⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        654⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        655⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        656⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        657⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        658⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        659⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        660⤵
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        661⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        662⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        663⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        664⤵
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        665⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        666⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        667⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        668⤵
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        669⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        670⤵
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        671⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        672⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        673⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        674⤵
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        675⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        676⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        677⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        678⤵
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        679⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        680⤵
        Checks computer location settings
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        681⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        682⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        683⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        684⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        685⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        686⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        687⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        688⤵
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        689⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        690⤵
        Checks computer location settings
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        691⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        692⤵
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        693⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        694⤵
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        695⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        696⤵
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        697⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        698⤵
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        699⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        700⤵
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        701⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        702⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        703⤵
        Drops file in Windows directory
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        704⤵
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        705⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        706⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        707⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        708⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        709⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        710⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        711⤵
        Drops file in Windows directory
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        712⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        713⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        714⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        715⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        716⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        717⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        718⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        719⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        720⤵
        Drops file in Windows directory
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        721⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        722⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        723⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        724⤵
        
        PID:3808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        725⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        726⤵
        
        PID:3612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        727⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        728⤵
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        729⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        730⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        731⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        732⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        733⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        734⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        735⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        736⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        737⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        738⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        739⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        740⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        741⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        742⤵
        
        PID:3480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        743⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        744⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        745⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        746⤵
        Checks computer location settings
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        747⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        748⤵
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        749⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        750⤵
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        751⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        752⤵
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        753⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        754⤵
        
        PID:944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        755⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        756⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        757⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        758⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        759⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        760⤵
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        761⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        762⤵
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        763⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        764⤵
        Drops file in Windows directory
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        765⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        766⤵
        Checks computer location settings
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        767⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        768⤵
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        769⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        770⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        771⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        772⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        773⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        774⤵
        Checks computer location settings
        
        PID:3160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        775⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        776⤵
        
        PID:4052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        777⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        778⤵
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        779⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        780⤵
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        781⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        782⤵
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        783⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        784⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        785⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        786⤵
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        787⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        788⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        789⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        790⤵
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        791⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        792⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        793⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        794⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        795⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        796⤵
        Modifies registry class
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        797⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        798⤵
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        799⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        800⤵
        Drops file in Windows directory
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        801⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        802⤵
        Modifies registry class
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        803⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        804⤵
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        805⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        806⤵
        
        PID:3480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        807⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        808⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        809⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        810⤵
        Modifies registry class
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        811⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        812⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        813⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        814⤵
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        815⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        816⤵
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        817⤵
        Drops file in Windows directory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        818⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        819⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        820⤵
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        821⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        822⤵
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        823⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        824⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        825⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        826⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        827⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        828⤵
        Checks computer location settings
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        829⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        830⤵
        Modifies registry class
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        831⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        832⤵
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        833⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        834⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        835⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        836⤵
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        837⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        838⤵
        
        PID:3912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        839⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        840⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        841⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        842⤵
        
        PID:3240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE"
        843⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\D467F5~1.EXE
        844⤵
        
        PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d467f5abbcba6952c2e67cc24ede72ceb2ff469169921069ac19c692752fa9b4.exe

Filesize
310KB

MD5
a8fb012e9b2c06c394e1609174e3dea8

SHA1
429e0b24e910d52f0e87d119169f349d3d983fde

SHA256
90a0936630d6eae4a2c8e5e8667a1d7444e83d7290546a1d80878af650a74f2b

SHA512
f803d9243e8ba841fd8243d9b1f0505edccfee5dbd5ffdf78d29ed45e519ad0cae14ecf31472d6a83b610a12138065d7c988ffce74adb52bbf046351afcc8ac8

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
94b386c8dbc17f5ae24ca4d9efd44e96

SHA1
293abeddac2d5eb3d5c3f0ac5479fa6a4a1ef9c4

SHA256
577bbdd89c585f83347c23f37fe1f70a1a8f137eba0fd99127ee9e6fc5d74966

SHA512
a6ade4e95ef52897ca2dad21043dfae77481209114952e9bc5e76fbe990dabe6b03810cbdf6733a02e4acd2a8484ed3a83866a9e445b231c4906fc6a51b9f870

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
2e47c96f947db7a8be51985ccc0de0ab

SHA1
174897a0254dc90c23c8636cfdf0d49515c4b627

SHA256
93a0e5763816fa35707b8c651178e93fd235f13ab517be76a0c91f0f81335a59

SHA512
3fdce195c9d9223ad90c089ace36d1a2a6775761f2fb30ad0f813ac6c107031bc793b742048de5975564061f487def41f1fedd7718ba3dade7739ba223d8cbbb

Download Submit
memory/112-250-0x0000000000000000-mapping.dmp

Download
memory/400-233-0x0000000000000000-mapping.dmp

Download
memory/624-245-0x0000000000000000-mapping.dmp

Download
memory/776-254-0x0000000000000000-mapping.dmp

Download
memory/820-213-0x0000000000000000-mapping.dmp

Download
memory/880-249-0x0000000000000000-mapping.dmp

Download
memory/1012-211-0x0000000000000000-mapping.dmp

Download
memory/1188-159-0x0000000000000000-mapping.dmp

Download
memory/1248-163-0x0000000000000000-mapping.dmp

Download
memory/1260-251-0x0000000000000000-mapping.dmp

Download
memory/1320-243-0x0000000000000000-mapping.dmp

Download
memory/1336-147-0x0000000000000000-mapping.dmp

Download
memory/1340-207-0x0000000000000000-mapping.dmp

Download
memory/1356-242-0x0000000000000000-mapping.dmp

Download
memory/1524-229-0x0000000000000000-mapping.dmp

Download
memory/1656-228-0x0000000000000000-mapping.dmp

Download
memory/1696-230-0x0000000000000000-mapping.dmp

Download
memory/1744-199-0x0000000000000000-mapping.dmp

Download
memory/1828-253-0x0000000000000000-mapping.dmp

Download
memory/1836-252-0x0000000000000000-mapping.dmp

Download
memory/1844-237-0x0000000000000000-mapping.dmp

Download
memory/2016-248-0x0000000000000000-mapping.dmp

Download
memory/2092-246-0x0000000000000000-mapping.dmp

Download
memory/2156-217-0x0000000000000000-mapping.dmp

Download
memory/2232-244-0x0000000000000000-mapping.dmp

Download
memory/2256-236-0x0000000000000000-mapping.dmp

Download
memory/2368-238-0x0000000000000000-mapping.dmp

Download
memory/2408-256-0x0000000000000000-mapping.dmp

Download
memory/2432-219-0x0000000000000000-mapping.dmp

Download
memory/2592-171-0x0000000000000000-mapping.dmp

Download
memory/2592-258-0x0000000000000000-mapping.dmp

Download
memory/2608-187-0x0000000000000000-mapping.dmp

Download
memory/2916-195-0x0000000000000000-mapping.dmp

Download
memory/2932-259-0x0000000000000000-mapping.dmp

Download
memory/3144-165-0x0000000000000000-mapping.dmp

Download
memory/3244-193-0x0000000000000000-mapping.dmp

Download
memory/3404-181-0x0000000000000000-mapping.dmp

Download
memory/3552-201-0x0000000000000000-mapping.dmp

Download
memory/3588-151-0x0000000000000000-mapping.dmp

Download
memory/3764-177-0x0000000000000000-mapping.dmp

Download
memory/3912-183-0x0000000000000000-mapping.dmp

Download
memory/3928-145-0x0000000000000000-mapping.dmp

Download
memory/4124-231-0x0000000000000000-mapping.dmp

Download
memory/4164-234-0x0000000000000000-mapping.dmp

Download
memory/4176-189-0x0000000000000000-mapping.dmp

Download
memory/4248-255-0x0000000000000000-mapping.dmp

Download
memory/4248-169-0x0000000000000000-mapping.dmp

Download
memory/4296-223-0x0000000000000000-mapping.dmp

Download
memory/4300-157-0x0000000000000000-mapping.dmp

Download
memory/4344-235-0x0000000000000000-mapping.dmp

Download
memory/4444-247-0x0000000000000000-mapping.dmp

Download
memory/4536-232-0x0000000000000000-mapping.dmp

Download
memory/4540-205-0x0000000000000000-mapping.dmp

Download
memory/4616-153-0x0000000000000000-mapping.dmp

Download
memory/4688-240-0x0000000000000000-mapping.dmp

Download
memory/4696-139-0x0000000000000000-mapping.dmp

Download
memory/4736-241-0x0000000000000000-mapping.dmp

Download
memory/4816-132-0x0000000000000000-mapping.dmp

Download
memory/4896-239-0x0000000000000000-mapping.dmp

Download
memory/4936-225-0x0000000000000000-mapping.dmp

Download
memory/5036-135-0x0000000000000000-mapping.dmp

Download
memory/5048-141-0x0000000000000000-mapping.dmp

Download
memory/5068-257-0x0000000000000000-mapping.dmp

Download
memory/5076-175-0x0000000000000000-mapping.dmp

Download