neshta | 7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06

Analysis

max time kernel
168s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
Size

133KB
MD5

4510dc20445644a0153493ab95e2e660
SHA1

81df128fbc718e8184578676a742dd52bd4e02d1
SHA256

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06
SHA512

c6cff4be8b43ccd228b493149a22f457066778c79a81d43e05921c9d3397f8f2f6dc50b349e82468b75d3468f2e93321927053de7473918e27209de0e1c30669
SSDEEP

1536:yxqjQ+P04wsZLnDrCA1RtvYlzWWH2iycinGMsPicTVTw1B4F3Y8SwOxqjQ+P04wv:zr8WDrCKtQdWhxaiAw1B4VY4r8WDrC

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exesvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com

pid	process
480	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
816	svchost.com
5084	7F7FF6~1.EXE
4340	svchost.com
4920	7F7FF6~1.EXE
4888	svchost.com
2264	7F7FF6~1.EXE
4500	svchost.com
4800	7F7FF6~1.EXE
5048	svchost.com
4828	7F7FF6~1.EXE
4044	svchost.com
2624	7F7FF6~1.EXE
32	svchost.com
1780	7F7FF6~1.EXE
1900	svchost.com
3164	7F7FF6~1.EXE
3512	svchost.com
3604	7F7FF6~1.EXE
1188	svchost.com
1452	7F7FF6~1.EXE
1480	svchost.com
3988	7F7FF6~1.EXE
3108	svchost.com
1904	7F7FF6~1.EXE
3968	svchost.com
1576	7F7FF6~1.EXE
4556	svchost.com
1028	7F7FF6~1.EXE
3084	svchost.com
4936	7F7FF6~1.EXE
2192	svchost.com
2136	7F7FF6~1.EXE
4128	svchost.com
4084	7F7FF6~1.EXE
460	svchost.com
2328	7F7FF6~1.EXE
1976	svchost.com
1064	7F7FF6~1.EXE
4984	svchost.com
2312	7F7FF6~1.EXE
3044	svchost.com
2152	7F7FF6~1.EXE
1716	svchost.com
1100	7F7FF6~1.EXE
4948	svchost.com
1532	7F7FF6~1.EXE
3976	svchost.com
5104	7F7FF6~1.EXE
4216	svchost.com
4116	7F7FF6~1.EXE
4928	svchost.com
4340	7F7FF6~1.EXE
4904	svchost.com
1528	7F7FF6~1.EXE
4596	svchost.com
2264	7F7FF6~1.EXE
4248	svchost.com
3384	7F7FF6~1.EXE
1560	svchost.com
4520	7F7FF6~1.EXE
5000	svchost.com
2400	7F7FF6~1.EXE
3460	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7F7FF6~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Drops file in Windows directory 64 IoCs

Processes:

7F7FF6~1.EXEsvchost.comsvchost.com7F7FF6~1.EXEsvchost.comsvchost.com7F7FF6~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com7F7FF6~1.EXE7F7FF6~1.EXEsvchost.comsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXEsvchost.com7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXEsvchost.comsvchost.comsvchost.com7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXEsvchost.com7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXEsvchost.comsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXE7F7FF6~1.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\directx.sys	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	7F7FF6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7F7FF6~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exesvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXEsvchost.com7F7FF6~1.EXE

description	pid	process	target process
PID 5092 wrote to memory of 480	5092	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
PID 5092 wrote to memory of 480	5092	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
PID 5092 wrote to memory of 480	5092	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
PID 480 wrote to memory of 816	480	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	svchost.com
PID 480 wrote to memory of 816	480	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	svchost.com
PID 480 wrote to memory of 816	480	7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe	svchost.com
PID 816 wrote to memory of 5084	816	svchost.com	7F7FF6~1.EXE
PID 816 wrote to memory of 5084	816	svchost.com	7F7FF6~1.EXE
PID 816 wrote to memory of 5084	816	svchost.com	7F7FF6~1.EXE
PID 5084 wrote to memory of 4340	5084	7F7FF6~1.EXE	svchost.com
PID 5084 wrote to memory of 4340	5084	7F7FF6~1.EXE	svchost.com
PID 5084 wrote to memory of 4340	5084	7F7FF6~1.EXE	svchost.com
PID 4340 wrote to memory of 4920	4340	svchost.com	7F7FF6~1.EXE
PID 4340 wrote to memory of 4920	4340	svchost.com	7F7FF6~1.EXE
PID 4340 wrote to memory of 4920	4340	svchost.com	7F7FF6~1.EXE
PID 4920 wrote to memory of 4888	4920	7F7FF6~1.EXE	svchost.com
PID 4920 wrote to memory of 4888	4920	7F7FF6~1.EXE	svchost.com
PID 4920 wrote to memory of 4888	4920	7F7FF6~1.EXE	svchost.com
PID 4888 wrote to memory of 2264	4888	svchost.com	7F7FF6~1.EXE
PID 4888 wrote to memory of 2264	4888	svchost.com	7F7FF6~1.EXE
PID 4888 wrote to memory of 2264	4888	svchost.com	7F7FF6~1.EXE
PID 2264 wrote to memory of 4500	2264	7F7FF6~1.EXE	svchost.com
PID 2264 wrote to memory of 4500	2264	7F7FF6~1.EXE	svchost.com
PID 2264 wrote to memory of 4500	2264	7F7FF6~1.EXE	svchost.com
PID 4500 wrote to memory of 4800	4500	svchost.com	7F7FF6~1.EXE
PID 4500 wrote to memory of 4800	4500	svchost.com	7F7FF6~1.EXE
PID 4500 wrote to memory of 4800	4500	svchost.com	7F7FF6~1.EXE
PID 4800 wrote to memory of 5048	4800	7F7FF6~1.EXE	svchost.com
PID 4800 wrote to memory of 5048	4800	7F7FF6~1.EXE	svchost.com
PID 4800 wrote to memory of 5048	4800	7F7FF6~1.EXE	svchost.com
PID 5048 wrote to memory of 4828	5048	svchost.com	7F7FF6~1.EXE
PID 5048 wrote to memory of 4828	5048	svchost.com	7F7FF6~1.EXE
PID 5048 wrote to memory of 4828	5048	svchost.com	7F7FF6~1.EXE
PID 4828 wrote to memory of 4044	4828	7F7FF6~1.EXE	svchost.com
PID 4828 wrote to memory of 4044	4828	7F7FF6~1.EXE	svchost.com
PID 4828 wrote to memory of 4044	4828	7F7FF6~1.EXE	svchost.com
PID 4044 wrote to memory of 2624	4044	svchost.com	7F7FF6~1.EXE
PID 4044 wrote to memory of 2624	4044	svchost.com	7F7FF6~1.EXE
PID 4044 wrote to memory of 2624	4044	svchost.com	7F7FF6~1.EXE
PID 2624 wrote to memory of 32	2624	7F7FF6~1.EXE	svchost.com
PID 2624 wrote to memory of 32	2624	7F7FF6~1.EXE	svchost.com
PID 2624 wrote to memory of 32	2624	7F7FF6~1.EXE	svchost.com
PID 32 wrote to memory of 1780	32	svchost.com	7F7FF6~1.EXE
PID 32 wrote to memory of 1780	32	svchost.com	7F7FF6~1.EXE
PID 32 wrote to memory of 1780	32	svchost.com	7F7FF6~1.EXE
PID 1780 wrote to memory of 1900	1780	7F7FF6~1.EXE	svchost.com
PID 1780 wrote to memory of 1900	1780	7F7FF6~1.EXE	svchost.com
PID 1780 wrote to memory of 1900	1780	7F7FF6~1.EXE	svchost.com
PID 1900 wrote to memory of 3164	1900	svchost.com	7F7FF6~1.EXE
PID 1900 wrote to memory of 3164	1900	svchost.com	7F7FF6~1.EXE
PID 1900 wrote to memory of 3164	1900	svchost.com	7F7FF6~1.EXE
PID 3164 wrote to memory of 3512	3164	7F7FF6~1.EXE	svchost.com
PID 3164 wrote to memory of 3512	3164	7F7FF6~1.EXE	svchost.com
PID 3164 wrote to memory of 3512	3164	7F7FF6~1.EXE	svchost.com
PID 3512 wrote to memory of 3604	3512	svchost.com	7F7FF6~1.EXE
PID 3512 wrote to memory of 3604	3512	svchost.com	7F7FF6~1.EXE
PID 3512 wrote to memory of 3604	3512	svchost.com	7F7FF6~1.EXE
PID 3604 wrote to memory of 1188	3604	7F7FF6~1.EXE	svchost.com
PID 3604 wrote to memory of 1188	3604	7F7FF6~1.EXE	svchost.com
PID 3604 wrote to memory of 1188	3604	7F7FF6~1.EXE	svchost.com
PID 1188 wrote to memory of 1452	1188	svchost.com	7F7FF6~1.EXE
PID 1188 wrote to memory of 1452	1188	svchost.com	7F7FF6~1.EXE
PID 1188 wrote to memory of 1452	1188	svchost.com	7F7FF6~1.EXE
PID 1452 wrote to memory of 1480	1452	7F7FF6~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
"C:\Users\Admin\AppData\Local\Temp\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
23⤵
- Executes dropped EXE
PID:1480

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
24⤵
- Executes dropped EXE
- Checks computer location settings
PID:3988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
25⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
26⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
27⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
28⤵
- Executes dropped EXE
- Checks computer location settings
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
29⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
30⤵
- Executes dropped EXE
- Checks computer location settings
PID:1028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
31⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
33⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
34⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
35⤵
- Executes dropped EXE
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
36⤵
- Executes dropped EXE
PID:4084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
37⤵
- Executes dropped EXE
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
38⤵
- Executes dropped EXE
PID:2328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
39⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
40⤵
- Executes dropped EXE
PID:1064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
41⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
42⤵
- Executes dropped EXE
PID:2312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
43⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
44⤵
- Executes dropped EXE
- Checks computer location settings
PID:2152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
45⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
46⤵
- Executes dropped EXE
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
47⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
48⤵
- Executes dropped EXE
PID:1532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
49⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
50⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:5104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
51⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
52⤵
- Executes dropped EXE
PID:4116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
53⤵
- Executes dropped EXE
PID:4928

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
54⤵
- Executes dropped EXE
PID:4340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4904

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
57⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
59⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
60⤵
- Executes dropped EXE
PID:3384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
61⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
62⤵
- Executes dropped EXE
- Modifies registry class
PID:4520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
63⤵
- Executes dropped EXE
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
64⤵
- Executes dropped EXE
PID:2400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
65⤵
- Executes dropped EXE
PID:3460

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
66⤵
- Modifies registry class
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
67⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
68⤵
PID:5004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
69⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
70⤵
PID:2168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
71⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
72⤵
PID:3580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
73⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
74⤵
PID:3608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
75⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
76⤵
- Modifies registry class
PID:3672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
77⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
78⤵
- Modifies registry class
PID:1264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
79⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
80⤵
PID:1452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
81⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
82⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
83⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
84⤵
PID:3464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
85⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
86⤵
PID:4756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
87⤵
- Drops file in Windows directory
PID:4672

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
88⤵
- Checks computer location settings
PID:3296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
89⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
90⤵
PID:2396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
91⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
92⤵
PID:3844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
93⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
94⤵
- Modifies registry class
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
95⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
96⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
97⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
98⤵
- Checks computer location settings
PID:1976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
99⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
100⤵
PID:2656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
101⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
102⤵
PID:1376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
103⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
104⤵
- Modifies registry class
PID:4968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
105⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
106⤵
PID:2864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
107⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
108⤵
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
109⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
110⤵
- Checks computer location settings
PID:816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
111⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
112⤵
PID:4908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
113⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
114⤵
PID:4920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
115⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
116⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
117⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
118⤵
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
119⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
120⤵
- Checks computer location settings
PID:3460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
121⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
122⤵
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
123⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
124⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
125⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
126⤵
- Modifies registry class
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
127⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
128⤵
- Checks computer location settings
- Modifies registry class
PID:3612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
129⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
130⤵
PID:3924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
131⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
132⤵
PID:3748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
133⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
134⤵
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
135⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
136⤵
- Checks computer location settings
PID:1452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
137⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
138⤵
- Checks computer location settings
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
139⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
140⤵
PID:4172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
141⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
142⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
143⤵
- Drops file in Windows directory
PID:3352

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
144⤵
- Modifies registry class
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
145⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
146⤵
- Modifies registry class
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
147⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
148⤵
PID:4140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
149⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
150⤵
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
151⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
152⤵
PID:2708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
153⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
154⤵
PID:1160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
155⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
156⤵
PID:2312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
157⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
158⤵
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
159⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
160⤵
- Checks computer location settings
PID:4680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
161⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
162⤵
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
163⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
164⤵
- Drops file in Windows directory
PID:1884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
165⤵
- Drops file in Windows directory
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
166⤵
- Checks computer location settings
PID:2524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
167⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
168⤵
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
169⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
170⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
171⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
172⤵
PID:2624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
173⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
174⤵
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
175⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
176⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
177⤵
- Drops file in Windows directory
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
178⤵
- Checks computer location settings
PID:3620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
179⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
180⤵
PID:3136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
181⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
182⤵
- Drops file in Windows directory
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
183⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
184⤵
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
185⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
186⤵
PID:1444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
187⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
188⤵
PID:1452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
189⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
190⤵
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
191⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
192⤵
- Modifies registry class
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
193⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
194⤵
PID:5108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
195⤵
- Drops file in Windows directory
PID:2140

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
196⤵
PID:4460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
197⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
198⤵
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
199⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
200⤵
- Checks computer location settings
PID:840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
201⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
202⤵
- Checks computer location settings
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
203⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
204⤵
PID:2088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
205⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
206⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
207⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
208⤵
- Modifies registry class
PID:916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
209⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
210⤵
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
211⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
212⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
213⤵
- Drops file in Windows directory
PID:3676

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
214⤵
PID:4148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
215⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
159⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
160⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
161⤵
PID:2864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
162⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
1⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
2⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
3⤵
- Modifies registry class
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
4⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
5⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
6⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
7⤵
PID:4020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
8⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
9⤵
- Drops file in Windows directory
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
10⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
11⤵
- Checks computer location settings
- Modifies registry class
PID:3656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
12⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
13⤵
- Checks computer location settings
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
14⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
15⤵
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
16⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
17⤵
- Checks computer location settings
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
18⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
19⤵
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
20⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
21⤵
PID:4192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
22⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
23⤵
PID:3464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
24⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
25⤵
- Checks computer location settings
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
26⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
27⤵
PID:2704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
28⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
29⤵
- Checks computer location settings
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
30⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
31⤵
PID:2580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
32⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
33⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
34⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
35⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
36⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
37⤵
PID:4976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
38⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
39⤵
PID:1816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
40⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
41⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
42⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
43⤵
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
44⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
45⤵
- Modifies registry class
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
46⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
47⤵
- Drops file in Windows directory
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
48⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
49⤵
- Modifies registry class
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
50⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
51⤵
- Modifies registry class
PID:1536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
52⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
53⤵
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
54⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
55⤵
- Modifies registry class
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
56⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
57⤵
- Checks computer location settings
PID:1920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
58⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
59⤵
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
60⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
61⤵
PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
62⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
63⤵
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
64⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
65⤵
PID:2204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
66⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
67⤵
PID:788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
68⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
69⤵
- Modifies registry class
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
70⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
71⤵
- Drops file in Windows directory
PID:3968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
72⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
73⤵
- Drops file in Windows directory
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
74⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
75⤵
PID:3496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
76⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
77⤵
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
78⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
79⤵
PID:3024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
80⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
81⤵
PID:4152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
82⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
83⤵
- Drops file in Windows directory
PID:4296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
84⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
85⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
86⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
87⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
88⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
89⤵
- Modifies registry class
PID:1376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
90⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
91⤵
- Modifies registry class
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
92⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
93⤵
PID:4304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
94⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
95⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
96⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
97⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
98⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
99⤵
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
100⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
101⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
102⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
103⤵
- Drops file in Windows directory
PID:4124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
104⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
105⤵
PID:2324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
106⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
107⤵
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
108⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
109⤵
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
110⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
111⤵
- Checks computer location settings
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
112⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
113⤵
- Modifies registry class
PID:2932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
114⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
115⤵
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
116⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
117⤵
PID:3380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
118⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
119⤵
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
120⤵
- Drops file in Windows directory
PID:3748

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
121⤵
PID:1592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
122⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
123⤵
PID:1212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
124⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
125⤵
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
126⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
127⤵
PID:5040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
128⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
129⤵
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
130⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
131⤵
PID:3496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
132⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
133⤵
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
134⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
135⤵
PID:3024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
136⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
137⤵
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
138⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
139⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
140⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
141⤵
- Checks computer location settings
PID:2116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
142⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
143⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
144⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
145⤵
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
146⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
147⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
148⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
149⤵
PID:1380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
150⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
151⤵
- Drops file in Windows directory
PID:4680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
152⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
153⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
154⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
155⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
156⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
157⤵
- Checks computer location settings
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
158⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
159⤵
- Drops file in Windows directory
PID:4920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
160⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
161⤵
- Checks computer location settings
PID:4732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
162⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
163⤵
- Drops file in Windows directory
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
164⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
165⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
166⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
167⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
168⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
169⤵
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
170⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
171⤵
- Checks computer location settings
PID:3632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
172⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
173⤵
PID:4704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
174⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
175⤵
PID:3416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
176⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
177⤵
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
178⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
179⤵
PID:3116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
180⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
181⤵
- Checks computer location settings
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
182⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
183⤵
PID:1104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
184⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
185⤵
PID:408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
186⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
187⤵
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
188⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
189⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
190⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
191⤵
- Checks computer location settings
- Modifies registry class
PID:2564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
192⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
193⤵
- Checks computer location settings
PID:2220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
194⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
195⤵
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
196⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
197⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
198⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
199⤵
PID:1376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
200⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
201⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
202⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
203⤵
- Modifies registry class
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
204⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
205⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
206⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
207⤵
PID:4116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
208⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
209⤵
- Modifies registry class
PID:4544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
210⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
211⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
212⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
213⤵
PID:1528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
214⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
215⤵
PID:2452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
216⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
217⤵
- Modifies registry class
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
218⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
219⤵
PID:1288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
220⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
221⤵
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
222⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
223⤵
PID:3588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
224⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
225⤵
- Checks computer location settings
PID:4576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
226⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
227⤵
PID:3632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
228⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
229⤵
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
230⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
231⤵
PID:3108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
232⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
233⤵
PID:1592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
234⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
235⤵
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
236⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
237⤵
- Modifies registry class
PID:4172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
238⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
239⤵
PID:4192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
240⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
241⤵
PID:4724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
242⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
243⤵
PID:3392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
244⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
245⤵
- Checks computer location settings
PID:4364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
246⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
247⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
248⤵
- Drops file in Windows directory
PID:4296

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
249⤵
- Checks computer location settings
- Modifies registry class
PID:720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
250⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
251⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
252⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
253⤵
PID:4992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
254⤵
- Drops file in Windows directory
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
255⤵
PID:484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
256⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
257⤵
PID:2980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
258⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
1⤵
PID:4052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
2⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
3⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
4⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
5⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
6⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
7⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
8⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
9⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
10⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
11⤵
PID:3704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
12⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
13⤵
- Drops file in Windows directory
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
14⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
15⤵
- Drops file in Windows directory
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
16⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
17⤵
- Modifies registry class
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
18⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
19⤵
PID:3828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
20⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
21⤵
PID:3564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
22⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
23⤵
PID:3516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
24⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
25⤵
PID:4092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
26⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
27⤵
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
28⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
29⤵
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
30⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
31⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
32⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
33⤵
PID:4228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
34⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
35⤵
PID:2792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
36⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
37⤵
PID:2448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
38⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
39⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
40⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
41⤵
PID:4080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
42⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
43⤵
PID:4152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
44⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
45⤵
PID:4296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
46⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
47⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
48⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
49⤵
PID:4288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
50⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
51⤵
PID:1976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
52⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
53⤵
PID:3132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
54⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
55⤵
- Drops file in Windows directory
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
56⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
57⤵
PID:2432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
58⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
59⤵
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
60⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
61⤵
PID:4376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
62⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
63⤵
PID:4880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
64⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
65⤵
PID:4560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
66⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
67⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
68⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
69⤵
PID:4736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
70⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
71⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
72⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
73⤵
PID:2168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
74⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
75⤵
PID:4188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
76⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
77⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
78⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
79⤵
PID:3756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
80⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
81⤵
PID:4720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
82⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
83⤵
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
84⤵
- Drops file in Windows directory
PID:2180

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
85⤵
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
86⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
87⤵
PID:4632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
88⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
89⤵
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
90⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
91⤵
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
92⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
93⤵
- Modifies registry class
PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
94⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
95⤵
PID:2396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
96⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
97⤵
PID:4932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
98⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
99⤵
- Checks computer location settings
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
100⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
101⤵
PID:4712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
102⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
103⤵
PID:4868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
104⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
105⤵
- Modifies registry class
PID:2580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
106⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
107⤵
- Modifies registry class
PID:672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
108⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
109⤵
PID:1824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
110⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
111⤵
- Checks computer location settings
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
112⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
113⤵
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
114⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
115⤵
PID:3912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
116⤵
- Drops file in Windows directory
PID:1380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
117⤵
PID:4912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
118⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
119⤵
PID:4680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
120⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
121⤵
PID:5104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
122⤵
- Drops file in Windows directory
PID:4872

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
123⤵
PID:4800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
124⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
125⤵
PID:4788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
126⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
127⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
128⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
129⤵
PID:980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
130⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
131⤵
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
132⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
133⤵
PID:3844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
134⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
135⤵
- Modifies registry class
PID:2148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
136⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
137⤵
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
138⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
139⤵
PID:3140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
140⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
141⤵
PID:4700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
142⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
143⤵
- Drops file in Windows directory
PID:2208

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
144⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
145⤵
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
146⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
147⤵
- Checks computer location settings
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
148⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
149⤵
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
150⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
151⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
152⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
153⤵
PID:2104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
154⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
155⤵
PID:2468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
156⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
157⤵
PID:2448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
158⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
159⤵
- Checks computer location settings
PID:4084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
160⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
161⤵
- Drops file in Windows directory
PID:2704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
162⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
163⤵
- Modifies registry class
PID:460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
164⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
165⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
166⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
167⤵
- Checks computer location settings
- Modifies registry class
PID:4940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
168⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
169⤵
- Modifies registry class
PID:644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
170⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
171⤵
PID:3404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
172⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
173⤵
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
174⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
175⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
176⤵
- Drops file in Windows directory
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
177⤵
PID:2864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
178⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
179⤵
PID:5044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
180⤵
- Drops file in Windows directory
PID:3856

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
181⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
182⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
183⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
184⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
185⤵
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
186⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
187⤵
PID:3700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
188⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
189⤵
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
190⤵
- Drops file in Windows directory
PID:4752

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
191⤵
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
192⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
193⤵
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
194⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
195⤵
PID:3620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
196⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
197⤵
PID:1384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
198⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
199⤵
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
200⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
201⤵
PID:556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
202⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
203⤵
- Modifies registry class
PID:4704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
204⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
205⤵
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
206⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
207⤵
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
208⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
209⤵
PID:4176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
210⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
211⤵
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
212⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
213⤵
- Drops file in Windows directory
PID:1104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
214⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
215⤵
- Checks computer location settings
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
216⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
217⤵
PID:2236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
218⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
219⤵
PID:1084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
220⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
221⤵
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
222⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
223⤵
PID:4180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
224⤵
- Drops file in Windows directory
PID:4804

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
225⤵
PID:4168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
226⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
227⤵
PID:4744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
228⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
229⤵
PID:5008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
230⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
231⤵
PID:4984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
232⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
233⤵
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
234⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
235⤵
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
236⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
237⤵
- Checks computer location settings
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
238⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
239⤵
PID:2256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
240⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
241⤵
PID:5104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
242⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
243⤵
PID:4800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
244⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
245⤵
PID:4788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
246⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
247⤵
- Checks computer location settings
- Modifies registry class
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
248⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
249⤵
PID:3460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
250⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
251⤵
PID:3064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
252⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
253⤵
PID:3716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
254⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
255⤵
PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
256⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
257⤵
- Drops file in Windows directory
PID:1404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
258⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
259⤵
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
260⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
261⤵
- Checks computer location settings
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
262⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
263⤵
PID:4836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
264⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
265⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
266⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
267⤵
PID:4632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
268⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
269⤵
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
270⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
271⤵
PID:1096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
272⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
273⤵
- Checks computer location settings
PID:4172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
274⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
275⤵
PID:4192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
276⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
277⤵
PID:2344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
278⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
279⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
280⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
281⤵
- Modifies registry class
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
282⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
283⤵
PID:2328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
284⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
285⤵
PID:3464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
286⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
287⤵
PID:1064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
288⤵
- Drops file in Windows directory
PID:648

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
289⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
290⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
291⤵
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
292⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
293⤵
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
294⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
295⤵
- Modifies registry class
PID:3180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
296⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
297⤵
PID:5084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
298⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
299⤵
- Drops file in Windows directory
PID:2432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
300⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
301⤵
PID:4864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
302⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
303⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
304⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
305⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
306⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
307⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
308⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
309⤵
PID:3700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
310⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
311⤵
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
312⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
313⤵
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
314⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
315⤵
- Modifies registry class
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
316⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
317⤵
PID:3572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
318⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
319⤵
PID:3484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
320⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
321⤵
- Checks computer location settings
- Modifies registry class
PID:3868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
322⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
323⤵
PID:3632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
324⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
325⤵
- Modifies registry class
PID:3504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
326⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
327⤵
PID:2184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
328⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
207⤵
- Modifies registry class
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
208⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
209⤵
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
210⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
211⤵
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
212⤵
- Drops file in Windows directory
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
213⤵
PID:3244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
214⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
215⤵
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
216⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
217⤵
PID:2192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
218⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
219⤵
PID:4696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
220⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
221⤵
- Modifies registry class
PID:4152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
222⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
223⤵
PID:2708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
224⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
225⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
226⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
227⤵
PID:3384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
228⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
229⤵
PID:1064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
230⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
231⤵
PID:4744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
232⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
233⤵
PID:3424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
234⤵
- Drops file in Windows directory
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
235⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
236⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
237⤵
- Checks computer location settings
PID:4628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
238⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
239⤵
- Drops file in Windows directory
- Modifies registry class
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
240⤵
- Drops file in Windows directory
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
241⤵
- Checks computer location settings
PID:2108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
242⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
243⤵
- Checks computer location settings
PID:2508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
244⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
245⤵
PID:2976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
246⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
247⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
248⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
249⤵
PID:2668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
250⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
251⤵
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
252⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
253⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
254⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
255⤵
PID:2340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
256⤵
- Drops file in Windows directory
PID:1780

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
257⤵
PID:2172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
258⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
259⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
260⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
261⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
262⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
263⤵
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
264⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
265⤵
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
266⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
267⤵
PID:2888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
268⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
269⤵
- Modifies registry class
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
270⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
271⤵
PID:3388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
272⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
273⤵
PID:3708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
274⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
275⤵
PID:4228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
276⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
277⤵
PID:3544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
278⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
279⤵
- Checks computer location settings
PID:4980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
280⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
281⤵
- Drops file in Windows directory
- Modifies registry class
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
282⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
283⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
284⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
285⤵
PID:4712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
286⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
287⤵
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
288⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
289⤵
PID:1476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
290⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
291⤵
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
292⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
293⤵
PID:2936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
294⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
295⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
296⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
297⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
298⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
299⤵
PID:4048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
300⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
301⤵
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
302⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
303⤵
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
304⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
305⤵
- Drops file in Windows directory
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
306⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
307⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
308⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
309⤵
PID:4864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
310⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
311⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
312⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
313⤵
- Drops file in Windows directory
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
314⤵
- Drops file in Windows directory
PID:1204

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
315⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
316⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
317⤵
PID:1420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
318⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
319⤵
PID:5064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
320⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
321⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
322⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
323⤵
- Modifies registry class
PID:3844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
324⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
325⤵
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
326⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
327⤵
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
328⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
329⤵
- Drops file in Windows directory
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
330⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
331⤵
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
332⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
333⤵
- Checks computer location settings
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
334⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
335⤵
PID:2888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
336⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
337⤵
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
338⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
339⤵
- Checks computer location settings
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
340⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
341⤵
PID:3708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
342⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
343⤵
PID:3968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
344⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
345⤵
PID:3544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
346⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
347⤵
PID:4980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
348⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
349⤵
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
350⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
351⤵
- Checks computer location settings
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
352⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
353⤵
- Checks computer location settings
PID:2512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
354⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
355⤵
- Drops file in Windows directory
PID:4296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
356⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
357⤵
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
358⤵
- Drops file in Windows directory
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
359⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
360⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
361⤵
PID:2116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
362⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
363⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
364⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
365⤵
- Checks computer location settings
PID:5008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
366⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
367⤵
- Drops file in Windows directory
- Modifies registry class
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
368⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
369⤵
- Modifies registry class
PID:3180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
370⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
371⤵
PID:3628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
372⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
373⤵
PID:1276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
374⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
375⤵
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
376⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
377⤵
PID:4148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
378⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
379⤵
PID:3492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
380⤵
- Drops file in Windows directory
PID:4124

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
381⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
382⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
383⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
384⤵
- Drops file in Windows directory
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
385⤵
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
386⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
387⤵
PID:864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
388⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
389⤵
- Checks computer location settings
PID:3356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
390⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
391⤵
PID:3844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
392⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
393⤵
- Drops file in Windows directory
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
394⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
395⤵
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
396⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
397⤵
PID:1188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
398⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
399⤵
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
400⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
401⤵
PID:3108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
402⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
403⤵
PID:2888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
404⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
405⤵
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
406⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
407⤵
PID:4452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
408⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
409⤵
PID:3708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
410⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
411⤵
PID:4988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
412⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
413⤵
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
414⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
415⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
416⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
417⤵
- Drops file in Windows directory
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
418⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
419⤵
- Checks computer location settings
- Modifies registry class
PID:2720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
420⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
421⤵
- Modifies registry class
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
422⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
423⤵
PID:4180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE"
424⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7F7FF6~1.EXE
425⤵
PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
114445130d5e083c42830d9adbf5d748

SHA1
48a62ec52b835918cc19a2df9c624a7a0d6b85e1

SHA256
a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e

SHA512
45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
961c73fd70b543a6a3c816649e5f8fce

SHA1
8dbdc7daeb83110638d192f65f6d014169e0a79b

SHA256
f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103

SHA512
e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

Filesize
942KB

MD5
ce54528f13a4cbd25f23b1f8823522ab

SHA1
beda60ae24164e84ec1151fbd89058f62b738914

SHA256
094bf6115095eafb09b11b44d3156ba43c16e7c55f58339735f4447daa7630b0

SHA512
90846fa87c70f3c1d30280d827ffb8422a177f1c853c6e9a629f6fe792c70d6fe0968cbe484e9b8491482e8c0d37d9bf59215bd26459153b4bbaec4ccab2e8e5

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

Filesize
623KB

MD5
675848e522987496daca257b6e0cbab2

SHA1
f81467ba1cd5cb791de9d8774947727e17117f64

SHA256
a5005943c08330ebf69ff119a4113e88e371d4a6f71f51594624bb546391dbe3

SHA512
589856133e78c8b6e08026601e510751fb15aedc5a9460fb8a2d13b437487d8a2740125b92383d3273d6a292c5a5b3c82c8c892706c34e63e3153a0eaf8411f0

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
6b27dd3f7c6898e7d1bcff73d6e29858

SHA1
55102c244643d43aeaf625145c6475e78dfbe9de

SHA256
53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3

SHA512
52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE

Filesize
217KB

MD5
d9560c2edb3a5cdf108a8263faf533f2

SHA1
6455c4d5bcb74f2dce1e68a5f56c82cf0f06397d

SHA256
cc4c349e3c7942d9fac4723e539042e80a62cbe906544426e1935a4f69bdb27e

SHA512
7d1338fd9f805a989e6864f654b6d5feacb7555b55607e277e6944df0231ed22f77981723f33462daa919d9bc23d3051d3ae382f44d0f58613e4975923c54fe9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE

Filesize
138KB

MD5
cfaf70fd3030942d451ef8b1c36f8ee0

SHA1
5d35117280b1d9ecab86c7da513b0a05b3543dbe

SHA256
b32dea3f8e63d73e721505100c110ed32077fd5d3975668f7e930d6786620d16

SHA512
10ebf91807cd44554355e5fdb8c49356873f2830f0d0b88043e29094d4e70762b2b22df4a6ac16b6f147fba7f83a7024830a077b0ef2ca93577f2679ea36df2e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE

Filesize
191KB

MD5
57bf2fd36e4da246c78fe1f921474a0a

SHA1
1bbc7a30c499f5e23ffdba1b35790c9d4dc073b4

SHA256
151b45632182e95cc98d361fc2b21ad2751385344d00e1a56cc023a916a8f4b2

SHA512
5a4e77506c9712fd784e36acb18e72c575824648b8579be7ce378ae2267488bf20f097efdc114db65e3eee40170156d4225de753674f696722721914bb2b8055

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE

Filesize
326KB

MD5
803f587966e9042240de311969259be1

SHA1
9837b60d7cc741f777a7201975924131bfda3dcc

SHA256
159bfc5593229fd43e215b8b54b965288be3bcfeac4d7d1c94f23929a212bfba

SHA512
46acc0c74a03b9e76abb201d95f56bba85e9128605c49019f67366126d9502f7fa88326ec69f7ba6929928582c3995216d0ea4c61d578d9b6e29eb21a5333720

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
ae390fa093b459a84c27b6c266888a7e

SHA1
ad88709a7f286fc7d65559e9aee3812be6baf4b2

SHA256
738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd

SHA512
096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
69e1e0de795a8bf8c4884cb98203b1f4

SHA1
a17f2ba68776596e2d1593781289c7007a805675

SHA256
2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb

SHA512
353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
032ee4d65b62d87cf809438556d30429

SHA1
34458fcefe3c67f19c3d2c94389fc99e54e74801

SHA256
0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b

SHA512
6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7f7ff656b2daef0f14997833b37cf66d41f4f97d3e54320e86a97c024af16f06.exe

Filesize
92KB

MD5
d6ff4db16299f85d15c541b3b948f0b2

SHA1
a9cbaf2b7611314cdd04fac8cb74da5d950e5faf

SHA256
864405b2abb8c9c85c6be93db5d2a99aa216db37900024c55cd6b45e17fec671

SHA512
b115206e59080cbd810ad4267d6fd291cb62bcb233941865ac01c9abc9a6029ffe7dc8144ede7648353d7404eb54c79f71ad7d85aac35ca9aabc49c0963052a0

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c52bc1d6d7fc6899c4eeade852685805

SHA1
8f4a0039b1c05c9c87f0da41a5c23eb76d194db1

SHA256
8f92ad654ca57473ce78c1306dd9a81c863f867f19199b6403c0d7f4ca9b2a14

SHA512
78a2247ed05d71f00c2c50851dc3431cd1f13a01a7e7c1d84a5e1d5217c0628ae62dce1abd0a09b8f4fa34bca93d63b1add0fdc0c86dca0feffa82d48c86ee5a

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
2e47c96f947db7a8be51985ccc0de0ab

SHA1
174897a0254dc90c23c8636cfdf0d49515c4b627

SHA256
93a0e5763816fa35707b8c651178e93fd235f13ab517be76a0c91f0f81335a59

SHA512
3fdce195c9d9223ad90c089ace36d1a2a6775761f2fb30ad0f813ac6c107031bc793b742048de5975564061f487def41f1fedd7718ba3dade7739ba223d8cbbb

Download Submit
memory/32-178-0x0000000000000000-mapping.dmp

Download
memory/460-231-0x0000000000000000-mapping.dmp

Download
memory/480-132-0x0000000000000000-mapping.dmp

Download
memory/816-135-0x0000000000000000-mapping.dmp

Download
memory/1028-224-0x0000000000000000-mapping.dmp

Download
memory/1064-234-0x0000000000000000-mapping.dmp

Download
memory/1100-240-0x0000000000000000-mapping.dmp

Download
memory/1188-215-0x0000000000000000-mapping.dmp

Download
memory/1452-216-0x0000000000000000-mapping.dmp

Download
memory/1480-217-0x0000000000000000-mapping.dmp

Download
memory/1528-250-0x0000000000000000-mapping.dmp

Download
memory/1532-242-0x0000000000000000-mapping.dmp

Download
memory/1560-255-0x0000000000000000-mapping.dmp

Download
memory/1576-222-0x0000000000000000-mapping.dmp

Download
memory/1716-239-0x0000000000000000-mapping.dmp

Download
memory/1780-182-0x0000000000000000-mapping.dmp

Download
memory/1900-184-0x0000000000000000-mapping.dmp

Download
memory/1904-220-0x0000000000000000-mapping.dmp

Download
memory/1976-233-0x0000000000000000-mapping.dmp

Download
memory/2136-228-0x0000000000000000-mapping.dmp

Download
memory/2152-238-0x0000000000000000-mapping.dmp

Download
memory/2192-227-0x0000000000000000-mapping.dmp

Download
memory/2264-151-0x0000000000000000-mapping.dmp

Download
memory/2264-252-0x0000000000000000-mapping.dmp

Download
memory/2312-236-0x0000000000000000-mapping.dmp

Download
memory/2328-232-0x0000000000000000-mapping.dmp

Download
memory/2400-258-0x0000000000000000-mapping.dmp

Download
memory/2624-174-0x0000000000000000-mapping.dmp

Download
memory/3044-237-0x0000000000000000-mapping.dmp

Download
memory/3084-225-0x0000000000000000-mapping.dmp

Download
memory/3108-219-0x0000000000000000-mapping.dmp

Download
memory/3164-187-0x0000000000000000-mapping.dmp

Download
memory/3384-254-0x0000000000000000-mapping.dmp

Download
memory/3460-259-0x0000000000000000-mapping.dmp

Download
memory/3512-198-0x0000000000000000-mapping.dmp

Download
memory/3604-207-0x0000000000000000-mapping.dmp

Download
memory/3968-221-0x0000000000000000-mapping.dmp

Download
memory/3976-243-0x0000000000000000-mapping.dmp

Download
memory/3988-218-0x0000000000000000-mapping.dmp

Download
memory/4044-168-0x0000000000000000-mapping.dmp

Download
memory/4084-230-0x0000000000000000-mapping.dmp

Download
memory/4116-246-0x0000000000000000-mapping.dmp

Download
memory/4128-229-0x0000000000000000-mapping.dmp

Download
memory/4216-245-0x0000000000000000-mapping.dmp

Download
memory/4248-253-0x0000000000000000-mapping.dmp

Download
memory/4340-141-0x0000000000000000-mapping.dmp

Download
memory/4340-248-0x0000000000000000-mapping.dmp

Download
memory/4500-153-0x0000000000000000-mapping.dmp

Download
memory/4520-256-0x0000000000000000-mapping.dmp

Download
memory/4556-223-0x0000000000000000-mapping.dmp

Download
memory/4596-251-0x0000000000000000-mapping.dmp

Download
memory/4800-157-0x0000000000000000-mapping.dmp

Download
memory/4828-162-0x0000000000000000-mapping.dmp

Download
memory/4888-147-0x0000000000000000-mapping.dmp

Download
memory/4904-249-0x0000000000000000-mapping.dmp

Download
memory/4920-145-0x0000000000000000-mapping.dmp

Download
memory/4928-247-0x0000000000000000-mapping.dmp

Download
memory/4936-226-0x0000000000000000-mapping.dmp

Download
memory/4948-241-0x0000000000000000-mapping.dmp

Download
memory/4984-235-0x0000000000000000-mapping.dmp

Download
memory/5000-257-0x0000000000000000-mapping.dmp

Download
memory/5048-159-0x0000000000000000-mapping.dmp

Download
memory/5084-139-0x0000000000000000-mapping.dmp

Download
memory/5104-244-0x0000000000000000-mapping.dmp

Download