neshta | fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd

Analysis

max time kernel
227s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Size

703KB
MD5

90cd738e2ab584ae9f1faa6641d1c4ff
SHA1

3b080867bc85e39b8d3606b7e6f9d4c72b5bd535
SHA256

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd
SHA512

ed1b2e27087cd38c02310f84a9a700741165f82aad18a10aad53eebda1ec2890df2747a02ea51bc1ab96362ac4478f07e9804898f769ab0045bfc868a3be0328
SSDEEP

12288:zzQWAhaVQFipAkaDM3FH5Pd8RV82NGC4iPh170xiWMgFxJx9dZTO6CW:zsWAhaVQFTct5PHC4iPsVMihOm

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exesvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.com

pid	process
1320	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
324	svchost.com
336	FEAD52~1.EXE
1844	svchost.com
1552	FEAD52~1.EXE
436	svchost.com
1044	FEAD52~1.EXE
1840	svchost.com
1936	FEAD52~1.EXE
1252	svchost.com
1800	FEAD52~1.EXE
1364	svchost.com
1732	FEAD52~1.EXE
908	svchost.com
1496	FEAD52~1.EXE
472	svchost.com
396	FEAD52~1.EXE
1888	svchost.com
668	FEAD52~1.EXE
540	svchost.com
1724	FEAD52~1.EXE
940	svchost.com
1952	FEAD52~1.EXE
844	svchost.com
1960	FEAD52~1.EXE
1568	svchost.com
1840	FEAD52~1.EXE
800	svchost.com
1220	FEAD52~1.EXE
568	svchost.com
1720	FEAD52~1.EXE
976	svchost.com
1364	FEAD52~1.EXE
1644	svchost.com
580	FEAD52~1.EXE
1352	svchost.com
1788	FEAD52~1.EXE
1704	svchost.com
472	FEAD52~1.EXE
396	svchost.com
1836	FEAD52~1.EXE
2004	svchost.com
1088	FEAD52~1.EXE
1784	svchost.com
1776	FEAD52~1.EXE
1912	svchost.com
1328	FEAD52~1.EXE
1256	svchost.com
112	FEAD52~1.EXE
1356	svchost.com
1568	FEAD52~1.EXE
1252	svchost.com
692	FEAD52~1.EXE
1280	svchost.com
1964	FEAD52~1.EXE
2040	svchost.com
976	FEAD52~1.EXE
564	svchost.com
1372	FEAD52~1.EXE
680	svchost.com
1740	FEAD52~1.EXE
872	svchost.com
324	FEAD52~1.EXE
1628	svchost.com

Loads dropped DLL 64 IoCs

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	process
700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
324	svchost.com
324	svchost.com
1844	svchost.com
1844	svchost.com
436	svchost.com
436	svchost.com
1840	svchost.com
1840	svchost.com
1252	svchost.com
1252	svchost.com
1364	svchost.com
1364	svchost.com
908	svchost.com
908	svchost.com
472	svchost.com
472	svchost.com
1888	svchost.com
1888	svchost.com
540	svchost.com
540	svchost.com
940	svchost.com
940	svchost.com
844	svchost.com
844	svchost.com
1568	svchost.com
1568	svchost.com
800	svchost.com
800	svchost.com
568	svchost.com
568	svchost.com
976	svchost.com
976	svchost.com
1644	svchost.com
1644	svchost.com
1352	svchost.com
1352	svchost.com
1704	svchost.com
1704	svchost.com
396	svchost.com
396	svchost.com
2004	svchost.com
2004	svchost.com
1784	svchost.com
1784	svchost.com
1912	svchost.com
1912	svchost.com
1256	svchost.com
1256	svchost.com
1356	svchost.com
1356	svchost.com
1252	svchost.com
1252	svchost.com
1280	svchost.com
1280	svchost.com
2040	svchost.com
2040	svchost.com
564	svchost.com
564	svchost.com
680	svchost.com
680	svchost.com
872	svchost.com
872	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exefead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

Drops file in Windows directory 64 IoCs

Processes:

FEAD52~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comFEAD52~1.EXEsvchost.comsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comsvchost.comsvchost.comFEAD52~1.EXEFEAD52~1.EXEFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comsvchost.comsvchost.comFEAD52~1.EXEFEAD52~1.EXEFEAD52~1.EXEFEAD52~1.EXEsvchost.comFEAD52~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	FEAD52~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FEAD52~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 31 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	nsis_installer_2

Modifies registry class 1 IoCs

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exefead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exesvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXEsvchost.comFEAD52~1.EXE

description	pid	process	target process
PID 700 wrote to memory of 1320	700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
PID 700 wrote to memory of 1320	700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
PID 700 wrote to memory of 1320	700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
PID 700 wrote to memory of 1320	700	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
PID 1320 wrote to memory of 324	1320	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	svchost.com
PID 1320 wrote to memory of 324	1320	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	svchost.com
PID 1320 wrote to memory of 324	1320	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	svchost.com
PID 1320 wrote to memory of 324	1320	fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe	svchost.com
PID 324 wrote to memory of 336	324	svchost.com	FEAD52~1.EXE
PID 324 wrote to memory of 336	324	svchost.com	FEAD52~1.EXE
PID 324 wrote to memory of 336	324	svchost.com	FEAD52~1.EXE
PID 324 wrote to memory of 336	324	svchost.com	FEAD52~1.EXE
PID 336 wrote to memory of 1844	336	FEAD52~1.EXE	svchost.com
PID 336 wrote to memory of 1844	336	FEAD52~1.EXE	svchost.com
PID 336 wrote to memory of 1844	336	FEAD52~1.EXE	svchost.com
PID 336 wrote to memory of 1844	336	FEAD52~1.EXE	svchost.com
PID 1844 wrote to memory of 1552	1844	svchost.com	FEAD52~1.EXE
PID 1844 wrote to memory of 1552	1844	svchost.com	FEAD52~1.EXE
PID 1844 wrote to memory of 1552	1844	svchost.com	FEAD52~1.EXE
PID 1844 wrote to memory of 1552	1844	svchost.com	FEAD52~1.EXE
PID 1552 wrote to memory of 436	1552	FEAD52~1.EXE	svchost.com
PID 1552 wrote to memory of 436	1552	FEAD52~1.EXE	svchost.com
PID 1552 wrote to memory of 436	1552	FEAD52~1.EXE	svchost.com
PID 1552 wrote to memory of 436	1552	FEAD52~1.EXE	svchost.com
PID 436 wrote to memory of 1044	436	svchost.com	FEAD52~1.EXE
PID 436 wrote to memory of 1044	436	svchost.com	FEAD52~1.EXE
PID 436 wrote to memory of 1044	436	svchost.com	FEAD52~1.EXE
PID 436 wrote to memory of 1044	436	svchost.com	FEAD52~1.EXE
PID 1044 wrote to memory of 1840	1044	FEAD52~1.EXE	svchost.com
PID 1044 wrote to memory of 1840	1044	FEAD52~1.EXE	svchost.com
PID 1044 wrote to memory of 1840	1044	FEAD52~1.EXE	svchost.com
PID 1044 wrote to memory of 1840	1044	FEAD52~1.EXE	svchost.com
PID 1840 wrote to memory of 1936	1840	svchost.com	FEAD52~1.EXE
PID 1840 wrote to memory of 1936	1840	svchost.com	FEAD52~1.EXE
PID 1840 wrote to memory of 1936	1840	svchost.com	FEAD52~1.EXE
PID 1840 wrote to memory of 1936	1840	svchost.com	FEAD52~1.EXE
PID 1936 wrote to memory of 1252	1936	FEAD52~1.EXE	svchost.com
PID 1936 wrote to memory of 1252	1936	FEAD52~1.EXE	svchost.com
PID 1936 wrote to memory of 1252	1936	FEAD52~1.EXE	svchost.com
PID 1936 wrote to memory of 1252	1936	FEAD52~1.EXE	svchost.com
PID 1252 wrote to memory of 1800	1252	svchost.com	FEAD52~1.EXE
PID 1252 wrote to memory of 1800	1252	svchost.com	FEAD52~1.EXE
PID 1252 wrote to memory of 1800	1252	svchost.com	FEAD52~1.EXE
PID 1252 wrote to memory of 1800	1252	svchost.com	FEAD52~1.EXE
PID 1800 wrote to memory of 1364	1800	FEAD52~1.EXE	svchost.com
PID 1800 wrote to memory of 1364	1800	FEAD52~1.EXE	svchost.com
PID 1800 wrote to memory of 1364	1800	FEAD52~1.EXE	svchost.com
PID 1800 wrote to memory of 1364	1800	FEAD52~1.EXE	svchost.com
PID 1364 wrote to memory of 1732	1364	svchost.com	FEAD52~1.EXE
PID 1364 wrote to memory of 1732	1364	svchost.com	FEAD52~1.EXE
PID 1364 wrote to memory of 1732	1364	svchost.com	FEAD52~1.EXE
PID 1364 wrote to memory of 1732	1364	svchost.com	FEAD52~1.EXE
PID 1732 wrote to memory of 908	1732	FEAD52~1.EXE	svchost.com
PID 1732 wrote to memory of 908	1732	FEAD52~1.EXE	svchost.com
PID 1732 wrote to memory of 908	1732	FEAD52~1.EXE	svchost.com
PID 1732 wrote to memory of 908	1732	FEAD52~1.EXE	svchost.com
PID 908 wrote to memory of 1496	908	svchost.com	FEAD52~1.EXE
PID 908 wrote to memory of 1496	908	svchost.com	FEAD52~1.EXE
PID 908 wrote to memory of 1496	908	svchost.com	FEAD52~1.EXE
PID 908 wrote to memory of 1496	908	svchost.com	FEAD52~1.EXE
PID 1496 wrote to memory of 472	1496	FEAD52~1.EXE	svchost.com
PID 1496 wrote to memory of 472	1496	FEAD52~1.EXE	svchost.com
PID 1496 wrote to memory of 472	1496	FEAD52~1.EXE	svchost.com
PID 1496 wrote to memory of 472	1496	FEAD52~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
"C:\Users\Admin\AppData\Local\Temp\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
18⤵
- Executes dropped EXE
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
20⤵
- Executes dropped EXE
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
22⤵
- Executes dropped EXE
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
24⤵
- Executes dropped EXE
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
26⤵
- Executes dropped EXE
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
28⤵
- Executes dropped EXE
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
30⤵
- Executes dropped EXE
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
32⤵
- Executes dropped EXE
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
34⤵
- Executes dropped EXE
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
36⤵
- Executes dropped EXE
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
38⤵
- Executes dropped EXE
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
40⤵
- Executes dropped EXE
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
42⤵
- Executes dropped EXE
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
44⤵
- Executes dropped EXE
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
46⤵
- Executes dropped EXE
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
48⤵
- Executes dropped EXE
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
50⤵
- Executes dropped EXE
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
52⤵
- Executes dropped EXE
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
54⤵
- Executes dropped EXE
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
56⤵
- Executes dropped EXE
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
58⤵
- Executes dropped EXE
PID:976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:680

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
3⤵
- Executes dropped EXE
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
5⤵
- Executes dropped EXE
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
6⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
7⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
8⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
9⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
10⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
11⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
12⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
13⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
14⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
15⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
16⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
17⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
18⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
19⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
20⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
21⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
22⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
23⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
24⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
16⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
17⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
18⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
19⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
20⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
21⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
22⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
23⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
24⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
25⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
26⤵
PID:568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
27⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
28⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
29⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
30⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
31⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
32⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
33⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
34⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
35⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
36⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
37⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
38⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
39⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
40⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
41⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
42⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
43⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
44⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
45⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
46⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
47⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
48⤵
PID:1260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
49⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
50⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
51⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
52⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
53⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
54⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
55⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
56⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
57⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
58⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
59⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
60⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
61⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
62⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
63⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
64⤵
PID:316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
65⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
66⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
67⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
68⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
69⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
70⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
71⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
72⤵
- Drops file in Windows directory
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
73⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
74⤵
- Drops file in Windows directory
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
75⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
76⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
77⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
78⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
79⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
80⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
81⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
82⤵
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
83⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
84⤵
PID:1384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
85⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
86⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
87⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
88⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
89⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
90⤵
PID:1128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
91⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
92⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
93⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
94⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
95⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
96⤵
- Drops file in Windows directory
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
97⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
98⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
99⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
100⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
101⤵
- Drops file in Windows directory
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
102⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
103⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
104⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
105⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
106⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
107⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
108⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
109⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
110⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
111⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
112⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
113⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
114⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
115⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
116⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
117⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
118⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
119⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
120⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
121⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
122⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
123⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
124⤵
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
125⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
126⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
127⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
128⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
129⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
130⤵
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
131⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
132⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
133⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
134⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
135⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
136⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
137⤵
- Drops file in Windows directory
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
138⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
139⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
140⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
141⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
142⤵
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
143⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
144⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
145⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
146⤵
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
147⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
148⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
149⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
150⤵
PID:980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
151⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
152⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
153⤵
- Drops file in Windows directory
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
154⤵
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
155⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
156⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
157⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
158⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
159⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
160⤵
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
161⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
162⤵
- Drops file in Windows directory
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
163⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
164⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
165⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
166⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
167⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
168⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
169⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
170⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
171⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
172⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
173⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
174⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
175⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
176⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
177⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
178⤵
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
179⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
180⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
181⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
182⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
183⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
184⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
185⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
186⤵
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
187⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
188⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
189⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
190⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
191⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
192⤵
PID:836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
193⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
194⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
195⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
196⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
197⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
198⤵
- Drops file in Windows directory
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
199⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
200⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
201⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
202⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
203⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
204⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
205⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
206⤵
PID:1676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
207⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
208⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
209⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
210⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
211⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
212⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
213⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
214⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
215⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
216⤵
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
217⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
218⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
219⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
220⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
221⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
222⤵
- Drops file in Windows directory
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
223⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
224⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
225⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
226⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
227⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
228⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
229⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
230⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
231⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
232⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
233⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
234⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
235⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
236⤵
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
237⤵
- Drops file in Windows directory
PID:1936

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
238⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
239⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
240⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
241⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
242⤵
- Drops file in Windows directory
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
243⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
244⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
245⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
246⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
247⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
248⤵
- Drops file in Windows directory
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
249⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
250⤵
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
251⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
252⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
253⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
254⤵
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
255⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
256⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
257⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
258⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
259⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
260⤵
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
261⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
262⤵
PID:848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
263⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
264⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
265⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
266⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
267⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
268⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
269⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
270⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
271⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
272⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
273⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
274⤵
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
275⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
276⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
277⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
278⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
279⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
280⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
281⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
282⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
283⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
284⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
285⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
286⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
287⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
288⤵
- Drops file in Windows directory
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
289⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
290⤵
PID:1616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
291⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
292⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
293⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
294⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
295⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
296⤵
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
297⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
298⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
299⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
300⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
301⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
302⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
303⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
304⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
305⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
306⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
307⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
308⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
309⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
310⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
311⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
312⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
313⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
314⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
315⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
316⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
317⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
318⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
319⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
320⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
321⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
322⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
323⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
324⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
325⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
326⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
327⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
328⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
329⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
330⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
331⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
332⤵
PID:524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
333⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
334⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
335⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
336⤵
PID:836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
337⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
338⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
339⤵
- Drops file in Windows directory
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
340⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
341⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
342⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
343⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
344⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
345⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
346⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
347⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
348⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
349⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
350⤵
PID:1108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
351⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
352⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
353⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
354⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
355⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
356⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
357⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
358⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
359⤵
- Drops file in Windows directory
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
360⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
361⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
362⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
363⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
364⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
365⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
366⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
367⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
368⤵
PID:976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
369⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
370⤵
PID:568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
371⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
372⤵
PID:1552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
373⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
374⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
375⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
376⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
377⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
378⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
379⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
380⤵
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
381⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
382⤵
PID:848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
383⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
384⤵
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
385⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
386⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
387⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
388⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
389⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
390⤵
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
391⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
392⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
393⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
394⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
395⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
396⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
397⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
398⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
399⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
400⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
401⤵
- Drops file in Windows directory
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
402⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
403⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
404⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
405⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
406⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
407⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
408⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
409⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
410⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
411⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
412⤵
PID:980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
413⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
414⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
415⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
416⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
417⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
418⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
419⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
420⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
421⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
422⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
423⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
424⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
425⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
426⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
427⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
428⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
429⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
430⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
431⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
432⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
433⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
434⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
435⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
436⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
437⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
438⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
439⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
440⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
441⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
442⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
443⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
444⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
445⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
446⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
447⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
448⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
449⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
450⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
451⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
452⤵
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
453⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
454⤵
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
455⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
456⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
457⤵
- Drops file in Windows directory
PID:1984

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
458⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
459⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
460⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
461⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
462⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
463⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
464⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
465⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
466⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
467⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
468⤵
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
469⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
470⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
471⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
472⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
473⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
474⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
475⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
476⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
477⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
478⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
479⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
480⤵
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
481⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
482⤵
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
483⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
484⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
485⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
486⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
487⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
488⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
489⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
490⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
491⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
492⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
493⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
494⤵
PID:1552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
495⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
496⤵
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
497⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
498⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
499⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
500⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
501⤵
- Drops file in Windows directory
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
502⤵
PID:1560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
503⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
504⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
505⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
506⤵
- Drops file in Windows directory
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
507⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
508⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
509⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
510⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
511⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
512⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
513⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
514⤵
PID:1976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
515⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
516⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
517⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
518⤵
PID:552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
519⤵
- Drops file in Windows directory
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
520⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
521⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
522⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
523⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
524⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
525⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
526⤵
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
527⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
528⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
529⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
530⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
531⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
532⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
533⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
534⤵
PID:1016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
535⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
536⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
537⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
538⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
539⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
540⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
541⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
542⤵
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
543⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
544⤵
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
545⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
546⤵
PID:984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
547⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
548⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
549⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
550⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
551⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
552⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
553⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
554⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
555⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
556⤵
PID:1632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
557⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
558⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
559⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
560⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
561⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
562⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
563⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
564⤵
PID:1216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
565⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
566⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
567⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
568⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
569⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
570⤵
PID:1532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
571⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
572⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
573⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
574⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
575⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
576⤵
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
577⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
578⤵
PID:1312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
579⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
580⤵
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
581⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
582⤵
PID:976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
583⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
584⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
585⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
586⤵
PID:1500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
587⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
588⤵
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
589⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
590⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
591⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
592⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
593⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
594⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
595⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
596⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
597⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
598⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
599⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
600⤵
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
601⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
602⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
603⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
604⤵
PID:280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
605⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
606⤵
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
607⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
608⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
609⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
610⤵
PID:984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
611⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
612⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
613⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
614⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
615⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
616⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
617⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
618⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
619⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
620⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
621⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
622⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
623⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
624⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
625⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
626⤵
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
627⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
628⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
629⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
630⤵
PID:980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
631⤵
- Drops file in Windows directory
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
632⤵
PID:1980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
633⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
634⤵
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
635⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
636⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
637⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
638⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
639⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
640⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
641⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
642⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
643⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
644⤵
PID:1252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
645⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
646⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
647⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
648⤵
PID:1384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
649⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
650⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
651⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
652⤵
PID:1572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
653⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
654⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
655⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
656⤵
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
657⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
658⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
659⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
660⤵
PID:1560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
661⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
662⤵
- Drops file in Windows directory
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
663⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
664⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
665⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
666⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
667⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
668⤵
- Drops file in Windows directory
PID:2000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
669⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
670⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
671⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
672⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
673⤵
- Drops file in Windows directory
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
674⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
675⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
676⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
677⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
678⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
679⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
680⤵
PID:596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
681⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
682⤵
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
683⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
684⤵
PID:1500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
685⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
686⤵
PID:680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
687⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
688⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
689⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
690⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
1⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
2⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
3⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
4⤵
- Drops file in Windows directory
PID:596

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
5⤵
PID:1808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
6⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
7⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
8⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
9⤵
PID:316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
10⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
11⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
12⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
13⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
14⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
15⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
16⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
17⤵
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
18⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
19⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
20⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
21⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
22⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
23⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
24⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
25⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
26⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
27⤵
PID:1900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
28⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
29⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
30⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
31⤵
PID:1128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
32⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
33⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
34⤵
- Drops file in Windows directory
PID:596

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
35⤵
PID:1832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
36⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
37⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
38⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
39⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
40⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
41⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
42⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
43⤵
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
44⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
45⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
46⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
47⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
48⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
49⤵
PID:112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
50⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
51⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
52⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
53⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
54⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
55⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
56⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
57⤵
PID:1384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
58⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
59⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
60⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
61⤵
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
62⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
63⤵
PID:808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
64⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
65⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
66⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
67⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
68⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
69⤵
PID:1784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
70⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
71⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
72⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
73⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
74⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
75⤵
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
76⤵
- Drops file in Windows directory
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
77⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
78⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
79⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
80⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
81⤵
PID:1720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
82⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
83⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
84⤵
- Drops file in Windows directory
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
85⤵
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
86⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
87⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
88⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
89⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
90⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
91⤵
PID:1740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
92⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
93⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
94⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
95⤵
PID:296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
96⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
97⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
98⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
99⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
100⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
101⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
102⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
103⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
104⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
105⤵
PID:1568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
106⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
107⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
108⤵
- Drops file in Windows directory
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
109⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
110⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
111⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
112⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
113⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
114⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
115⤵
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
116⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
117⤵
PID:516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
118⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
119⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
120⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
121⤵
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
122⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
123⤵
PID:316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
124⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
125⤵
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
126⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
127⤵
- Drops file in Windows directory
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
128⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
129⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
130⤵
- Drops file in Windows directory
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
131⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
132⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
133⤵
PID:1364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
134⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
135⤵
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
136⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
137⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
138⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
139⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
140⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
141⤵
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
142⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
143⤵
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
144⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
145⤵
PID:596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
146⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
147⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
148⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
149⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
150⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
151⤵
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
152⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
153⤵
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
154⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
155⤵
PID:1724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
156⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
157⤵
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
158⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
159⤵
PID:1912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
160⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
161⤵
PID:1176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
162⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
163⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
164⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
165⤵
PID:568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
166⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
167⤵
PID:836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
168⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
169⤵
PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
170⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
171⤵
PID:1372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
172⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
173⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
174⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
175⤵
PID:472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
176⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
177⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
178⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
179⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
180⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
181⤵
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
182⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
183⤵
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
184⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
185⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
186⤵
- Drops file in Windows directory
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
187⤵
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
188⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
189⤵
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
190⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
191⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
192⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
193⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
194⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
195⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
196⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
197⤵
- Drops file in Windows directory
PID:1636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
198⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
199⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
200⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
201⤵
- Drops file in Windows directory
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
202⤵
- Drops file in Windows directory
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
203⤵
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
204⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
205⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
206⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
207⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
208⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
209⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
210⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
211⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
212⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
213⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
214⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
215⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
216⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
217⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
218⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
219⤵
- Drops file in Windows directory
PID:1296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
220⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
221⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
222⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
223⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
224⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
225⤵
PID:1940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
226⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
227⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
228⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
229⤵
PID:2040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
230⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
91⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
92⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
93⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
94⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
95⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
96⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
97⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
98⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
99⤵
PID:540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
100⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
101⤵
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
102⤵
- Drops file in Windows directory
PID:1952

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
103⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
104⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
105⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
106⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
107⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
108⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
109⤵
PID:568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
110⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
111⤵
PID:1732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
112⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
113⤵
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
114⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
115⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
116⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
117⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
118⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
119⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
120⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
121⤵
PID:324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
122⤵
- Drops file in Windows directory
PID:296

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
123⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
124⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE
125⤵
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FEAD52~1.EXE"
126⤵
PID:552

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5269f2ac8702544bbb872aed6efa3711

SHA1
313dcb79d5bbfada2ce7fc61b762b3bbdaf0a8f1

SHA256
655b5ffb9ddfe5145e5321e4c7569201ef6e6afa3afbdeb25c57a25369a0ce47

SHA512
26e8ba1172393ce1a1c2a1d6fedef5a5308173709bd630df199b4dfdc0967368f12975f4b59c0391c121b8a7141c5d9a1f6d9d9dab34b333c295430992198d47

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5269f2ac8702544bbb872aed6efa3711

SHA1
313dcb79d5bbfada2ce7fc61b762b3bbdaf0a8f1

SHA256
655b5ffb9ddfe5145e5321e4c7569201ef6e6afa3afbdeb25c57a25369a0ce47

SHA512
26e8ba1172393ce1a1c2a1d6fedef5a5308173709bd630df199b4dfdc0967368f12975f4b59c0391c121b8a7141c5d9a1f6d9d9dab34b333c295430992198d47

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5269f2ac8702544bbb872aed6efa3711

SHA1
313dcb79d5bbfada2ce7fc61b762b3bbdaf0a8f1

SHA256
655b5ffb9ddfe5145e5321e4c7569201ef6e6afa3afbdeb25c57a25369a0ce47

SHA512
26e8ba1172393ce1a1c2a1d6fedef5a5308173709bd630df199b4dfdc0967368f12975f4b59c0391c121b8a7141c5d9a1f6d9d9dab34b333c295430992198d47

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5269f2ac8702544bbb872aed6efa3711

SHA1
313dcb79d5bbfada2ce7fc61b762b3bbdaf0a8f1

SHA256
655b5ffb9ddfe5145e5321e4c7569201ef6e6afa3afbdeb25c57a25369a0ce47

SHA512
26e8ba1172393ce1a1c2a1d6fedef5a5308173709bd630df199b4dfdc0967368f12975f4b59c0391c121b8a7141c5d9a1f6d9d9dab34b333c295430992198d47

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5269f2ac8702544bbb872aed6efa3711

SHA1
313dcb79d5bbfada2ce7fc61b762b3bbdaf0a8f1

SHA256
655b5ffb9ddfe5145e5321e4c7569201ef6e6afa3afbdeb25c57a25369a0ce47

SHA512
26e8ba1172393ce1a1c2a1d6fedef5a5308173709bd630df199b4dfdc0967368f12975f4b59c0391c121b8a7141c5d9a1f6d9d9dab34b333c295430992198d47

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
cddf5073412296af5aa75408a0e73a2f

SHA1
a3b729745fc0228b42f21a65b896ac0f452d2d4b

SHA256
b47b2269c9e5c4c1dd8023ca670dc316fd31a8d928717b52b5725655d7d88faf

SHA512
2bf88b352e2a87b0857b66c813cfde478fa226d76520de67ec153a3240a33fef7354a848a542d4851523d4af315a2a285c9a24f0b362fa5308228e1c5724f91f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fead52266337c7c1ce34e160069973673c3c5932b3588f06f0c6b014c0cb78dd.exe
Filesize
663KB

MD5
897578a171912913b5a25cf63b9776b6

SHA1
c0576b958c47d0deebbe502717dbcb5cb66ef203

SHA256
2f2585e7759bb5df4b14c2de77ac339eb91349568dfda3e127de1c5ee5d2b223

SHA512
8493823d02f664577fa118992b923d0f6ab00200aee33aa298ba9cd949d824497695e10dc0766727f77a4ad5d1a4cd6bee995d0cb4540a7d174ac1d0a8c52bef

Download Submit
memory/112-215-0x0000000000000000-mapping.dmp

Download
memory/324-62-0x0000000000000000-mapping.dmp

Download
memory/324-243-0x0000000000000000-mapping.dmp

Download
memory/336-71-0x0000000000000000-mapping.dmp

Download
memory/396-141-0x0000000000000000-mapping.dmp

Download
memory/396-197-0x0000000000000000-mapping.dmp

Download
memory/436-84-0x0000000000000000-mapping.dmp

Download
memory/472-134-0x0000000000000000-mapping.dmp

Download
memory/472-195-0x0000000000000000-mapping.dmp

Download
memory/540-154-0x0000000000000000-mapping.dmp

Download
memory/564-233-0x0000000000000000-mapping.dmp

Download
memory/568-177-0x0000000000000000-mapping.dmp

Download
memory/580-187-0x0000000000000000-mapping.dmp

Download
memory/668-151-0x0000000000000000-mapping.dmp

Download
memory/680-237-0x0000000000000000-mapping.dmp

Download
memory/692-223-0x0000000000000000-mapping.dmp

Download
memory/700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/800-173-0x0000000000000000-mapping.dmp

Download
memory/844-165-0x0000000000000000-mapping.dmp

Download
memory/872-241-0x0000000000000000-mapping.dmp

Download
memory/908-124-0x0000000000000000-mapping.dmp

Download
memory/940-161-0x0000000000000000-mapping.dmp

Download
memory/976-181-0x0000000000000000-mapping.dmp

Download
memory/976-231-0x0000000000000000-mapping.dmp

Download
memory/1044-91-0x0000000000000000-mapping.dmp

Download
memory/1088-203-0x0000000000000000-mapping.dmp

Download
memory/1220-175-0x0000000000000000-mapping.dmp

Download
memory/1252-221-0x0000000000000000-mapping.dmp

Download
memory/1252-104-0x0000000000000000-mapping.dmp

Download
memory/1256-213-0x0000000000000000-mapping.dmp

Download
memory/1280-225-0x0000000000000000-mapping.dmp

Download
memory/1320-57-0x0000000000000000-mapping.dmp

Download
memory/1328-211-0x0000000000000000-mapping.dmp

Download
memory/1352-189-0x0000000000000000-mapping.dmp

Download
memory/1356-217-0x0000000000000000-mapping.dmp

Download
memory/1364-114-0x0000000000000000-mapping.dmp

Download
memory/1364-183-0x0000000000000000-mapping.dmp

Download
memory/1372-235-0x0000000000000000-mapping.dmp

Download
memory/1496-131-0x0000000000000000-mapping.dmp

Download
memory/1552-81-0x0000000000000000-mapping.dmp

Download
memory/1568-219-0x0000000000000000-mapping.dmp

Download
memory/1568-169-0x0000000000000000-mapping.dmp

Download
memory/1628-245-0x0000000000000000-mapping.dmp

Download
memory/1644-185-0x0000000000000000-mapping.dmp

Download
memory/1704-193-0x0000000000000000-mapping.dmp

Download
memory/1720-179-0x0000000000000000-mapping.dmp

Download
memory/1724-159-0x0000000000000000-mapping.dmp

Download
memory/1732-121-0x0000000000000000-mapping.dmp

Download
memory/1740-239-0x0000000000000000-mapping.dmp

Download
memory/1776-207-0x0000000000000000-mapping.dmp

Download
memory/1784-205-0x0000000000000000-mapping.dmp

Download
memory/1788-191-0x0000000000000000-mapping.dmp

Download
memory/1800-111-0x0000000000000000-mapping.dmp

Download
memory/1836-199-0x0000000000000000-mapping.dmp

Download
memory/1840-171-0x0000000000000000-mapping.dmp

Download
memory/1840-94-0x0000000000000000-mapping.dmp

Download
memory/1844-74-0x0000000000000000-mapping.dmp

Download
memory/1888-144-0x0000000000000000-mapping.dmp

Download
memory/1912-209-0x0000000000000000-mapping.dmp

Download
memory/1936-101-0x0000000000000000-mapping.dmp

Download
memory/1952-163-0x0000000000000000-mapping.dmp

Download
memory/1960-167-0x0000000000000000-mapping.dmp

Download
memory/1964-227-0x0000000000000000-mapping.dmp

Download
memory/2004-201-0x0000000000000000-mapping.dmp

Download
memory/2040-229-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads