neshta | 52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89

Analysis

max time kernel
184s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
Size

896KB
MD5

4c2d61a636fb7726ceb1598b180a51a0
SHA1

463acc26ef1cc53b57b9b38e438d30c153af60a1
SHA256

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89
SHA512

ce4e918e46e64e86816dbea480c142e33315ea47ece9a18c4aad5774917d7f60dfe3ac9098e161595f68ba1ce3071fe107c4c03f928590c9351420299565aeec
SSDEEP

12288:8Smgt5H4kInv7kvNmvlJMoUEc4w1WilWAgJ:8S3t59YIvNmvlJLtKW4WV

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 46 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Windows\svchost.com	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exesvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com

pid	process
1492	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
1120	svchost.com
680	52D5C3~1.EXE
1584	svchost.com
1660	52D5C3~1.EXE
1704	svchost.com
808	52D5C3~1.EXE
536	svchost.com
1436	52D5C3~1.EXE
1328	svchost.com
552	52D5C3~1.EXE
1256	svchost.com
616	52D5C3~1.EXE
692	svchost.com
1260	52D5C3~1.EXE
272	svchost.com
1728	52D5C3~1.EXE
1352	svchost.com
876	52D5C3~1.EXE
2016	svchost.com
1192	52D5C3~1.EXE
1572	svchost.com
296	52D5C3~1.EXE
316	svchost.com
1704	52D5C3~1.EXE
2028	svchost.com
2024	52D5C3~1.EXE
1436	svchost.com
1840	52D5C3~1.EXE
524	svchost.com
1956	52D5C3~1.EXE
1544	svchost.com
1176	52D5C3~1.EXE
1280	svchost.com
896	52D5C3~1.EXE
1016	svchost.com
800	52D5C3~1.EXE
1608	svchost.com
1320	52D5C3~1.EXE
780	svchost.com
1128	52D5C3~1.EXE
1088	svchost.com
936	52D5C3~1.EXE
2004	svchost.com
336	52D5C3~1.EXE
1660	svchost.com
1656	52D5C3~1.EXE
1836	svchost.com
1768	52D5C3~1.EXE
1156	svchost.com
940	52D5C3~1.EXE
1360	svchost.com
844	52D5C3~1.EXE
1840	svchost.com
1516	52D5C3~1.EXE
1356	svchost.com
1456	52D5C3~1.EXE
1312	svchost.com
908	52D5C3~1.EXE
896	svchost.com
1348	52D5C3~1.EXE
1636	svchost.com
1940	52D5C3~1.EXE
644	svchost.com

Loads dropped DLL 64 IoCs

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	process
1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
1120	svchost.com
1120	svchost.com
1584	svchost.com
1584	svchost.com
1704	svchost.com
1704	svchost.com
536	svchost.com
536	svchost.com
1328	svchost.com
1328	svchost.com
1256	svchost.com
1256	svchost.com
692	svchost.com
692	svchost.com
272	svchost.com
272	svchost.com
1352	svchost.com
1352	svchost.com
2016	svchost.com
2016	svchost.com
1572	svchost.com
1572	svchost.com
316	svchost.com
316	svchost.com
2028	svchost.com
2028	svchost.com
1436	svchost.com
1436	svchost.com
524	svchost.com
524	svchost.com
1544	svchost.com
1544	svchost.com
1280	svchost.com
1280	svchost.com
1016	svchost.com
1016	svchost.com
1608	svchost.com
1608	svchost.com
780	svchost.com
780	svchost.com
1088	svchost.com
1088	svchost.com
2004	svchost.com
2004	svchost.com
1660	svchost.com
1660	svchost.com
1836	svchost.com
1836	svchost.com
1156	svchost.com
1156	svchost.com
1360	svchost.com
1360	svchost.com
1840	svchost.com
1840	svchost.com
1356	svchost.com
1356	svchost.com
1312	svchost.com
1312	svchost.com
896	svchost.com
896	svchost.com
1636	svchost.com
1636	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Drops file in Windows directory 64 IoCs

Processes:

52D5C3~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com52D5C3~1.EXEsvchost.comsvchost.comsvchost.com52D5C3~1.EXEsvchost.comsvchost.com52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXEsvchost.comsvchost.comsvchost.com52D5C3~1.EXE52D5C3~1.EXEsvchost.com52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXE52D5C3~1.EXEsvchost.comsvchost.com52D5C3~1.EXEsvchost.comsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXE52D5C3~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	52D5C3~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE
File opened for modification	C:\Windows\svchost.com	52D5C3~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exesvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXEsvchost.com52D5C3~1.EXE

description	pid	process	target process
PID 1596 wrote to memory of 1492	1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
PID 1596 wrote to memory of 1492	1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
PID 1596 wrote to memory of 1492	1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
PID 1596 wrote to memory of 1492	1596	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
PID 1492 wrote to memory of 1120	1492	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	svchost.com
PID 1492 wrote to memory of 1120	1492	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	svchost.com
PID 1492 wrote to memory of 1120	1492	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	svchost.com
PID 1492 wrote to memory of 1120	1492	52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe	svchost.com
PID 1120 wrote to memory of 680	1120	svchost.com	52D5C3~1.EXE
PID 1120 wrote to memory of 680	1120	svchost.com	52D5C3~1.EXE
PID 1120 wrote to memory of 680	1120	svchost.com	52D5C3~1.EXE
PID 1120 wrote to memory of 680	1120	svchost.com	52D5C3~1.EXE
PID 680 wrote to memory of 1584	680	52D5C3~1.EXE	svchost.com
PID 680 wrote to memory of 1584	680	52D5C3~1.EXE	svchost.com
PID 680 wrote to memory of 1584	680	52D5C3~1.EXE	svchost.com
PID 680 wrote to memory of 1584	680	52D5C3~1.EXE	svchost.com
PID 1584 wrote to memory of 1660	1584	svchost.com	52D5C3~1.EXE
PID 1584 wrote to memory of 1660	1584	svchost.com	52D5C3~1.EXE
PID 1584 wrote to memory of 1660	1584	svchost.com	52D5C3~1.EXE
PID 1584 wrote to memory of 1660	1584	svchost.com	52D5C3~1.EXE
PID 1660 wrote to memory of 1704	1660	52D5C3~1.EXE	svchost.com
PID 1660 wrote to memory of 1704	1660	52D5C3~1.EXE	svchost.com
PID 1660 wrote to memory of 1704	1660	52D5C3~1.EXE	svchost.com
PID 1660 wrote to memory of 1704	1660	52D5C3~1.EXE	svchost.com
PID 1704 wrote to memory of 808	1704	svchost.com	52D5C3~1.EXE
PID 1704 wrote to memory of 808	1704	svchost.com	52D5C3~1.EXE
PID 1704 wrote to memory of 808	1704	svchost.com	52D5C3~1.EXE
PID 1704 wrote to memory of 808	1704	svchost.com	52D5C3~1.EXE
PID 808 wrote to memory of 536	808	52D5C3~1.EXE	svchost.com
PID 808 wrote to memory of 536	808	52D5C3~1.EXE	svchost.com
PID 808 wrote to memory of 536	808	52D5C3~1.EXE	svchost.com
PID 808 wrote to memory of 536	808	52D5C3~1.EXE	svchost.com
PID 536 wrote to memory of 1436	536	svchost.com	52D5C3~1.EXE
PID 536 wrote to memory of 1436	536	svchost.com	52D5C3~1.EXE
PID 536 wrote to memory of 1436	536	svchost.com	52D5C3~1.EXE
PID 536 wrote to memory of 1436	536	svchost.com	52D5C3~1.EXE
PID 1436 wrote to memory of 1328	1436	52D5C3~1.EXE	svchost.com
PID 1436 wrote to memory of 1328	1436	52D5C3~1.EXE	svchost.com
PID 1436 wrote to memory of 1328	1436	52D5C3~1.EXE	svchost.com
PID 1436 wrote to memory of 1328	1436	52D5C3~1.EXE	svchost.com
PID 1328 wrote to memory of 552	1328	svchost.com	52D5C3~1.EXE
PID 1328 wrote to memory of 552	1328	svchost.com	52D5C3~1.EXE
PID 1328 wrote to memory of 552	1328	svchost.com	52D5C3~1.EXE
PID 1328 wrote to memory of 552	1328	svchost.com	52D5C3~1.EXE
PID 552 wrote to memory of 1256	552	52D5C3~1.EXE	svchost.com
PID 552 wrote to memory of 1256	552	52D5C3~1.EXE	svchost.com
PID 552 wrote to memory of 1256	552	52D5C3~1.EXE	svchost.com
PID 552 wrote to memory of 1256	552	52D5C3~1.EXE	svchost.com
PID 1256 wrote to memory of 616	1256	svchost.com	52D5C3~1.EXE
PID 1256 wrote to memory of 616	1256	svchost.com	52D5C3~1.EXE
PID 1256 wrote to memory of 616	1256	svchost.com	52D5C3~1.EXE
PID 1256 wrote to memory of 616	1256	svchost.com	52D5C3~1.EXE
PID 616 wrote to memory of 692	616	52D5C3~1.EXE	svchost.com
PID 616 wrote to memory of 692	616	52D5C3~1.EXE	svchost.com
PID 616 wrote to memory of 692	616	52D5C3~1.EXE	svchost.com
PID 616 wrote to memory of 692	616	52D5C3~1.EXE	svchost.com
PID 692 wrote to memory of 1260	692	svchost.com	52D5C3~1.EXE
PID 692 wrote to memory of 1260	692	svchost.com	52D5C3~1.EXE
PID 692 wrote to memory of 1260	692	svchost.com	52D5C3~1.EXE
PID 692 wrote to memory of 1260	692	svchost.com	52D5C3~1.EXE
PID 1260 wrote to memory of 272	1260	52D5C3~1.EXE	svchost.com
PID 1260 wrote to memory of 272	1260	52D5C3~1.EXE	svchost.com
PID 1260 wrote to memory of 272	1260	52D5C3~1.EXE	svchost.com
PID 1260 wrote to memory of 272	1260	52D5C3~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
"C:\Users\Admin\AppData\Local\Temp\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
18⤵
- Executes dropped EXE
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
20⤵
- Executes dropped EXE
PID:876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
22⤵
- Executes dropped EXE
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
24⤵
- Executes dropped EXE
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
26⤵
- Executes dropped EXE
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
3⤵
- Executes dropped EXE
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
5⤵
- Executes dropped EXE
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
7⤵
- Executes dropped EXE
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
9⤵
- Executes dropped EXE
PID:896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
11⤵
- Executes dropped EXE
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
13⤵
- Executes dropped EXE
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
15⤵
- Executes dropped EXE
PID:1128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
17⤵
- Executes dropped EXE
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
19⤵
- Executes dropped EXE
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
21⤵
- Executes dropped EXE
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
23⤵
- Executes dropped EXE
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
25⤵
- Executes dropped EXE
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
27⤵
- Executes dropped EXE
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
29⤵
- Executes dropped EXE
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
31⤵
- Executes dropped EXE
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
33⤵
- Executes dropped EXE
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
35⤵
- Executes dropped EXE
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
37⤵
- Executes dropped EXE
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
38⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
39⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
40⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
41⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
42⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
43⤵
PID:712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
44⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
45⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
46⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
47⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
48⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
49⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
50⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
51⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
52⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
53⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
54⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
55⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
56⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
57⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
58⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
59⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
60⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
61⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
62⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
63⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
64⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
65⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
66⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
1⤵
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
3⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
4⤵
- Drops file in Windows directory
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
5⤵
PID:1368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
6⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
7⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
8⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
9⤵
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
10⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
11⤵
- Drops file in Windows directory
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
12⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
13⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
14⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
15⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
16⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
17⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
18⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
19⤵
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
20⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
21⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
22⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
23⤵
- Drops file in Windows directory
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
24⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
25⤵
- Drops file in Windows directory
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
26⤵
- Drops file in Windows directory
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
27⤵
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
28⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
29⤵
- Drops file in Windows directory
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
30⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
31⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
32⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
33⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
34⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
35⤵
PID:924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
36⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
37⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
38⤵
- Drops file in Windows directory
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
39⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
40⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
41⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
42⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
43⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
44⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
45⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
46⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
47⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
48⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
49⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
50⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
51⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
52⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
53⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
54⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
55⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
56⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
57⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
58⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
59⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
60⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
61⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
62⤵
- Drops file in Windows directory
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
63⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
64⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
65⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
66⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
67⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
68⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
69⤵
PID:1368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
70⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
71⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
72⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
73⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
74⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
75⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
76⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
77⤵
PID:1616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
78⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
79⤵
- Drops file in Windows directory
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
80⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
81⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
82⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
83⤵
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
84⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
85⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
86⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
87⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
88⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
89⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
90⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
91⤵
PID:700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
92⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
93⤵
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
94⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
95⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
96⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
97⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
98⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
99⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
100⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
101⤵
PID:1808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
102⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
103⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
104⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
105⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
106⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
107⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
108⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
109⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
110⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
111⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
112⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
113⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
114⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
115⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
116⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
117⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
118⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
119⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
120⤵
- Drops file in Windows directory
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
121⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
122⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
123⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
124⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
125⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
126⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
127⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
128⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
129⤵
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
130⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
131⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
132⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
133⤵
PID:712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
134⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
135⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
136⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
137⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
138⤵
- Drops file in Windows directory
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
139⤵
PID:316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
140⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
141⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
142⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
143⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
144⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
145⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
146⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
147⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
148⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
149⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
150⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
151⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
152⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
153⤵
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
154⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
155⤵
PID:1016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
156⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
157⤵
- Drops file in Windows directory
PID:1560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
158⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
159⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
160⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
161⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
162⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
163⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
164⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
165⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
166⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
167⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
168⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
169⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
170⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
171⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
172⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
173⤵
- Drops file in Windows directory
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
174⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
175⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
176⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
177⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
178⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
179⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
180⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
181⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
182⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
183⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
184⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
185⤵
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
186⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
187⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
188⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
189⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
190⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
191⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
192⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
193⤵
PID:1808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
194⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
195⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
196⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
197⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
198⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
199⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
200⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
201⤵
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
202⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
203⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
204⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
205⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
206⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
207⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
208⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
209⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
210⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
211⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
212⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
213⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
214⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
215⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
216⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
217⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
218⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
219⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
220⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
221⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
222⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
223⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
224⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
225⤵
PID:712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
226⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
227⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
228⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
229⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
230⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
231⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
232⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
233⤵
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
234⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
235⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
236⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
237⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
238⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
239⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
240⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
241⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
242⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
243⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
244⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
245⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
246⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
247⤵
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
248⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
249⤵
- Drops file in Windows directory
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
250⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
251⤵
PID:848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
252⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
253⤵
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
254⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
255⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
256⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
257⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
258⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
259⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
260⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
261⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
262⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
263⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
264⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
265⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
266⤵
- Drops file in Windows directory
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
267⤵
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
268⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
269⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
270⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
271⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
272⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
273⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
274⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
275⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
276⤵
- Drops file in Windows directory
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
277⤵
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
278⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
279⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
280⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
281⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
282⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
283⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
284⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
285⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
286⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
287⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
288⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
289⤵
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
290⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
291⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
292⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
293⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
294⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
295⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
296⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
297⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
298⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
299⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
300⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
301⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
302⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
303⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
304⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
305⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
306⤵
- Drops file in Windows directory
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
307⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
308⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
309⤵
- Drops file in Windows directory
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
310⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
185⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
186⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
95⤵
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
96⤵
- Drops file in Windows directory
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
97⤵
PID:1552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
98⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
99⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
100⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
101⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
102⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
103⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
104⤵
- Drops file in Windows directory
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
105⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
106⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
107⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
108⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
109⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
110⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
111⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
112⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
113⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
114⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
115⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
116⤵
- Drops file in Windows directory
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
117⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
118⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
119⤵
- Drops file in Windows directory
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
120⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
121⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
122⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
123⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
124⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
125⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
126⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
127⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
128⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
129⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
130⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
131⤵
PID:1676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
132⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
133⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
134⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
135⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
136⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
137⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
138⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
139⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
140⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
141⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
142⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
143⤵
- Drops file in Windows directory
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
144⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
145⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
146⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
147⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
148⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
149⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
150⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
151⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
152⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
153⤵
PID:1560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
154⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
155⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
156⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
157⤵
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
158⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
159⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
160⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
161⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
162⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
163⤵
PID:1676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
164⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
165⤵
PID:1616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
166⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
167⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
168⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
169⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
170⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
171⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
172⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
173⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
174⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
175⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
176⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
177⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
178⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
179⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
180⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
181⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
182⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
183⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
184⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
185⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
186⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
187⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
188⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
189⤵
PID:1968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
190⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
191⤵
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
192⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
193⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
194⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
195⤵
PID:712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
196⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
197⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
198⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
199⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
200⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
201⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
202⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
203⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
204⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
205⤵
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
206⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
207⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
208⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
209⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
210⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
211⤵
PID:836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
212⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
213⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
214⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
215⤵
- Drops file in Windows directory
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
216⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
217⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
218⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
219⤵
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
220⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
221⤵
PID:1968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
222⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
223⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
224⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
225⤵
PID:848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
226⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
227⤵
PID:644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
228⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
229⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
230⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
231⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
232⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
233⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
234⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
235⤵
- Drops file in Windows directory
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
236⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
237⤵
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
238⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
239⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
240⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
241⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
242⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
243⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
244⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
245⤵
PID:1808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
246⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
247⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
248⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
249⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
250⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
251⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
252⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
253⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
254⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
255⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
256⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
257⤵
PID:1128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
258⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
259⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
260⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
261⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
262⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
263⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
264⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
265⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
266⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
267⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
268⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
269⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
270⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
271⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
272⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
273⤵
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
274⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
275⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
276⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
277⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
278⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
279⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
280⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
281⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
282⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
283⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
284⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
285⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
286⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
287⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
288⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
289⤵
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
290⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
291⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
292⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
293⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
294⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
295⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
296⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
297⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
298⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
299⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
300⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
301⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
302⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
303⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
304⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
305⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
306⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
307⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
308⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
309⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
310⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
311⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
312⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
313⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
314⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
315⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
316⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
317⤵
PID:1968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
318⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
319⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
320⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
321⤵
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
322⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
323⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
324⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
325⤵
PID:1616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
326⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
327⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
328⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
329⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
330⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
331⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
332⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
333⤵
PID:1604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
334⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
335⤵
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
336⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
337⤵
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
338⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
339⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
340⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
341⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
342⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
343⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
344⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
345⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
346⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
347⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
348⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
349⤵
PID:2028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
350⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
351⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
352⤵
- Drops file in Windows directory
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
353⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
354⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
355⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
356⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
357⤵
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
358⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
359⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
360⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
361⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
362⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
363⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
364⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
365⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
366⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
367⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
368⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
369⤵
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
370⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
371⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
372⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
373⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
374⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
375⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
376⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
377⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
378⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
379⤵
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
380⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
381⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
382⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
383⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
384⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
385⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
386⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
387⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
388⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
389⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
390⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
391⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
392⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
393⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
394⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
395⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
396⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
397⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
398⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
399⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
400⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
401⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
402⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
403⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
404⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
405⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
406⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
407⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
408⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
377⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
378⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
379⤵
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
380⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
381⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
382⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
383⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
384⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
385⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
386⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
205⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
206⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
207⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
208⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
209⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
210⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
211⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
212⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
213⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
214⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
215⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
216⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
217⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
218⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
219⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
220⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
221⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
222⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
223⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
224⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
225⤵
PID:896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
226⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
227⤵
PID:644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
228⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
229⤵
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
230⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
231⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
232⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
233⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
234⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
235⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
236⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
237⤵
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
238⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
239⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
240⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
241⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
242⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
243⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
244⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
245⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
246⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
247⤵
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
248⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
249⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
250⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
251⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
252⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
253⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
254⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
255⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
256⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
257⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
258⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
259⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
260⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
261⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
262⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
263⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
264⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
265⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
266⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
267⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
268⤵
- Drops file in Windows directory
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
269⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
270⤵
- Drops file in Windows directory
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
271⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
272⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
273⤵
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
274⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
275⤵
- Drops file in Windows directory
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
276⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
277⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
278⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
279⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
280⤵
- Drops file in Windows directory
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
281⤵
- Drops file in Windows directory
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
282⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
283⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
284⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
285⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
286⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
287⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
288⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
289⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
290⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
291⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
292⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
293⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
294⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
295⤵
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
296⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
297⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
298⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
299⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
300⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
301⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
302⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
303⤵
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
304⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
305⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
306⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
307⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
308⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
309⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
310⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
311⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
312⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
313⤵
PID:2036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
314⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
315⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
316⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
317⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
318⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
319⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
320⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
321⤵
PID:712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
322⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
323⤵
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
324⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
325⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
326⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
327⤵
- Drops file in Windows directory
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
328⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
329⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
330⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
331⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
332⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
333⤵
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
334⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
335⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
336⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
337⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
338⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
339⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
340⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
341⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
342⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
343⤵
PID:1016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
344⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
345⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
346⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
347⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
348⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
349⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
350⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
351⤵
PID:924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
352⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
353⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
354⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
355⤵
PID:2028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
356⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
357⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
358⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
359⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
360⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
361⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
362⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
363⤵
PID:1488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
364⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
365⤵
PID:2044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
366⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
367⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
368⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
369⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
370⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
371⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
372⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
373⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
374⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
375⤵
PID:1560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
376⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
377⤵
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
378⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
379⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
380⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
381⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
382⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
383⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
384⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
385⤵
PID:896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
386⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
387⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
388⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
389⤵
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
390⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
391⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
392⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
393⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
394⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
395⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
396⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
397⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
398⤵
- Drops file in Windows directory
PID:2044

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
399⤵
PID:1764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
400⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
401⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
402⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
403⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
404⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
405⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
406⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
407⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
408⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
409⤵
- Drops file in Windows directory
PID:700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
410⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
411⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
412⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
413⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
414⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
415⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
416⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
417⤵
- Drops file in Windows directory
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
418⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
419⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
420⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
421⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
422⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
423⤵
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
424⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
425⤵
PID:848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
426⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
427⤵
PID:2016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
428⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
429⤵
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
430⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
431⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
432⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
433⤵
PID:2044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
434⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
435⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
436⤵
- Drops file in Windows directory
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
437⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
438⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
439⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
440⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
441⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
442⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
443⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
444⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
445⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
446⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
447⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
448⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
449⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
450⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
451⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
452⤵
- Drops file in Windows directory
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
453⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
454⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
455⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
456⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
457⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
458⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
459⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
460⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
461⤵
PID:596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
462⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
463⤵
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
464⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
465⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
466⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
467⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
468⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
469⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
470⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
471⤵
PID:560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
472⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
473⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
474⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
475⤵
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
476⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
477⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
478⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
479⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
480⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
481⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
482⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
483⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
484⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
485⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
486⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
487⤵
PID:604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
488⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
489⤵
PID:644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
490⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
491⤵
- Drops file in Windows directory
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
492⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
493⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
494⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
495⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
496⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
497⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE"
498⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\52D5C3~1.EXE
499⤵
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5dd46b405446c4615abbdf6ea73d0953

SHA1
0267c0ba4604e87de84c526ad23411c63f4bc877

SHA256
b1616f04a30c22c3b2be04ae2b0ca2d38be056eccb5974eb77253d7b4d771e8f

SHA512
d8fcf08c85caa24f23519f9109fb91a9b12407627713f30a1c891a95e804cebfca7a900dc2942474722794887be1436b4107da21537dd71bbfde8c07d77fe7d7

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5dd46b405446c4615abbdf6ea73d0953

SHA1
0267c0ba4604e87de84c526ad23411c63f4bc877

SHA256
b1616f04a30c22c3b2be04ae2b0ca2d38be056eccb5974eb77253d7b4d771e8f

SHA512
d8fcf08c85caa24f23519f9109fb91a9b12407627713f30a1c891a95e804cebfca7a900dc2942474722794887be1436b4107da21537dd71bbfde8c07d77fe7d7

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5dd46b405446c4615abbdf6ea73d0953

SHA1
0267c0ba4604e87de84c526ad23411c63f4bc877

SHA256
b1616f04a30c22c3b2be04ae2b0ca2d38be056eccb5974eb77253d7b4d771e8f

SHA512
d8fcf08c85caa24f23519f9109fb91a9b12407627713f30a1c891a95e804cebfca7a900dc2942474722794887be1436b4107da21537dd71bbfde8c07d77fe7d7

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5dd46b405446c4615abbdf6ea73d0953

SHA1
0267c0ba4604e87de84c526ad23411c63f4bc877

SHA256
b1616f04a30c22c3b2be04ae2b0ca2d38be056eccb5974eb77253d7b4d771e8f

SHA512
d8fcf08c85caa24f23519f9109fb91a9b12407627713f30a1c891a95e804cebfca7a900dc2942474722794887be1436b4107da21537dd71bbfde8c07d77fe7d7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
7bce6c9f8bf3af115f3909857e7ef5ab

SHA1
d7496d9ec26bd9c7a9d13b6380df78a15771a776

SHA256
f652b112d1685ccb6fe6074e14965d46165220e7e7c150862299628e0b90d4fc

SHA512
1cebac87725dddec0293725662596bd397cdb88fe9123d3f2fc3b6df255db8deafad5e084ab16c2db305337eeed21b6a1c5911d453673444eeff68578c150a71

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\52d5c35c4fbf0a7ef4b068865773cc5c0ce86d2f8485c76542b7a498e02c2f89.exe

Filesize
855KB

MD5
44ff5f266325e12a301fcbd29d439c12

SHA1
20e2aff9295d287aaefd1dfdd21b6e8363e13d8a

SHA256
24ddd418feb3ebdc73d77cae93a8f68bb5643cab0f2e47673414ef1e1bb0bb76

SHA512
ecdb83b47134daaa63b5b8296f19b46bff23f61ac73c5e755b236e6768017841efe198bbcb0c8318a148426538d5872d18b13fbc9d85ec55158b35efec16b7b2

Download Submit
memory/272-131-0x0000000000000000-mapping.dmp

Download
memory/296-163-0x0000000000000000-mapping.dmp

Download
memory/316-165-0x0000000000000000-mapping.dmp

Download
memory/336-207-0x0000000000000000-mapping.dmp

Download
memory/524-177-0x0000000000000000-mapping.dmp

Download
memory/536-91-0x0000000000000000-mapping.dmp

Download
memory/552-108-0x0000000000000000-mapping.dmp

Download
memory/616-118-0x0000000000000000-mapping.dmp

Download
memory/644-245-0x0000000000000000-mapping.dmp

Download
memory/680-67-0x0000000000000000-mapping.dmp

Download
memory/692-121-0x0000000000000000-mapping.dmp

Download
memory/780-197-0x0000000000000000-mapping.dmp

Download
memory/800-191-0x0000000000000000-mapping.dmp

Download
memory/808-88-0x0000000000000000-mapping.dmp

Download
memory/844-223-0x0000000000000000-mapping.dmp

Download
memory/876-148-0x0000000000000000-mapping.dmp

Download
memory/896-187-0x0000000000000000-mapping.dmp

Download
memory/896-237-0x0000000000000000-mapping.dmp

Download
memory/908-235-0x0000000000000000-mapping.dmp

Download
memory/936-203-0x0000000000000000-mapping.dmp

Download
memory/940-219-0x0000000000000000-mapping.dmp

Download
memory/1016-189-0x0000000000000000-mapping.dmp

Download
memory/1088-201-0x0000000000000000-mapping.dmp

Download
memory/1120-62-0x0000000000000000-mapping.dmp

Download
memory/1128-199-0x0000000000000000-mapping.dmp

Download
memory/1156-217-0x0000000000000000-mapping.dmp

Download
memory/1176-183-0x0000000000000000-mapping.dmp

Download
memory/1192-158-0x0000000000000000-mapping.dmp

Download
memory/1256-111-0x0000000000000000-mapping.dmp

Download
memory/1260-128-0x0000000000000000-mapping.dmp

Download
memory/1280-185-0x0000000000000000-mapping.dmp

Download
memory/1312-233-0x0000000000000000-mapping.dmp

Download
memory/1320-195-0x0000000000000000-mapping.dmp

Download
memory/1328-101-0x0000000000000000-mapping.dmp

Download
memory/1348-239-0x0000000000000000-mapping.dmp

Download
memory/1352-141-0x0000000000000000-mapping.dmp

Download
memory/1356-229-0x0000000000000000-mapping.dmp

Download
memory/1360-221-0x0000000000000000-mapping.dmp

Download
memory/1436-173-0x0000000000000000-mapping.dmp

Download
memory/1436-98-0x0000000000000000-mapping.dmp

Download
memory/1456-231-0x0000000000000000-mapping.dmp

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1516-227-0x0000000000000000-mapping.dmp

Download
memory/1544-181-0x0000000000000000-mapping.dmp

Download
memory/1572-161-0x0000000000000000-mapping.dmp

Download
memory/1584-70-0x0000000000000000-mapping.dmp

Download
memory/1596-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1608-193-0x0000000000000000-mapping.dmp

Download
memory/1636-241-0x0000000000000000-mapping.dmp

Download
memory/1656-211-0x0000000000000000-mapping.dmp

Download
memory/1660-209-0x0000000000000000-mapping.dmp

Download
memory/1660-77-0x0000000000000000-mapping.dmp

Download
memory/1704-167-0x0000000000000000-mapping.dmp

Download
memory/1704-80-0x0000000000000000-mapping.dmp

Download
memory/1728-138-0x0000000000000000-mapping.dmp

Download
memory/1768-215-0x0000000000000000-mapping.dmp

Download
memory/1836-213-0x0000000000000000-mapping.dmp

Download
memory/1840-225-0x0000000000000000-mapping.dmp

Download
memory/1840-175-0x0000000000000000-mapping.dmp

Download
memory/1940-243-0x0000000000000000-mapping.dmp

Download
memory/1956-179-0x0000000000000000-mapping.dmp

Download
memory/2004-205-0x0000000000000000-mapping.dmp

Download
memory/2016-151-0x0000000000000000-mapping.dmp

Download
memory/2024-171-0x0000000000000000-mapping.dmp

Download
memory/2028-169-0x0000000000000000-mapping.dmp

Download