neshta | 9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a

Analysis

max time kernel
154s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Size

291KB
MD5

18a788bc27b5416488ffdd71f520ae20
SHA1

ce0720e1a6419348f0f3abd1270cca4adac565ec
SHA256

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a
SHA512

493aacc53c63d64670c638ac45579b1f79159816bfd87ab7666a394bd8c54c4364a236a7e87c49766f33d95e511d1dc65e41dff7e5a38110c5e5b0819157fd7d
SSDEEP

6144:k96QaI8iHZHZM/Pkb7k638rhO+eMs379:3aX55M/aMrhO+eMs3

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 34 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exesvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com

pid	process
5024	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
4076	svchost.com
2276	9FD4AE~1.EXE
1812	svchost.com
2984	9FD4AE~1.EXE
4552	svchost.com
2496	9FD4AE~1.EXE
2092	svchost.com
3184	9FD4AE~1.EXE
204	svchost.com
4784	9FD4AE~1.EXE
4832	svchost.com
1508	9FD4AE~1.EXE
3144	svchost.com
4964	9FD4AE~1.EXE
3996	svchost.com
3872	9FD4AE~1.EXE
2252	svchost.com
4608	9FD4AE~1.EXE
3616	svchost.com
1100	9FD4AE~1.EXE
3320	svchost.com
4428	9FD4AE~1.EXE
4036	svchost.com
3816	9FD4AE~1.EXE
3524	svchost.com
1068	9FD4AE~1.EXE
1576	svchost.com
2172	9FD4AE~1.EXE
796	svchost.com
5112	9FD4AE~1.EXE
1924	svchost.com
4456	9FD4AE~1.EXE
3292	svchost.com
4536	9FD4AE~1.EXE
4352	svchost.com
3084	9FD4AE~1.EXE
3020	svchost.com
1432	9FD4AE~1.EXE
3448	svchost.com
1112	9FD4AE~1.EXE
1416	svchost.com
2244	9FD4AE~1.EXE
1688	svchost.com
3056	9FD4AE~1.EXE
3660	svchost.com
1472	9FD4AE~1.EXE
1096	svchost.com
2280	9FD4AE~1.EXE
3100	svchost.com
3972	9FD4AE~1.EXE
3716	svchost.com
3232	9FD4AE~1.EXE
4620	svchost.com
2140	9FD4AE~1.EXE
3328	svchost.com
3312	9FD4AE~1.EXE
612	svchost.com
804	9FD4AE~1.EXE
1056	svchost.com
4056	9FD4AE~1.EXE
3568	svchost.com
204	9FD4AE~1.EXE
4804	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9FD4AE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE9FD4AE~1.EXEsvchost.comsvchost.com9FD4AE~1.EXE9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXEsvchost.comsvchost.comsvchost.com9FD4AE~1.EXEsvchost.comsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE9FD4AE~1.EXE

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com
File opened for modification	C:\Windows\directx.sys	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\directx.sys
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE
File opened for modification	C:\Windows\svchost.com	9FD4AE~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	9FD4AE~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exesvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXEsvchost.com9FD4AE~1.EXE

description	pid	process	target process
PID 5072 wrote to memory of 5024	5072	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
PID 5072 wrote to memory of 5024	5072	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
PID 5072 wrote to memory of 5024	5072	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
PID 5024 wrote to memory of 4076	5024	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	svchost.com
PID 5024 wrote to memory of 4076	5024	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	svchost.com
PID 5024 wrote to memory of 4076	5024	9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe	svchost.com
PID 4076 wrote to memory of 2276	4076	svchost.com	9FD4AE~1.EXE
PID 4076 wrote to memory of 2276	4076	svchost.com	9FD4AE~1.EXE
PID 4076 wrote to memory of 2276	4076	svchost.com	9FD4AE~1.EXE
PID 2276 wrote to memory of 1812	2276	9FD4AE~1.EXE	svchost.com
PID 2276 wrote to memory of 1812	2276	9FD4AE~1.EXE	svchost.com
PID 2276 wrote to memory of 1812	2276	9FD4AE~1.EXE	svchost.com
PID 1812 wrote to memory of 2984	1812	svchost.com	9FD4AE~1.EXE
PID 1812 wrote to memory of 2984	1812	svchost.com	9FD4AE~1.EXE
PID 1812 wrote to memory of 2984	1812	svchost.com	9FD4AE~1.EXE
PID 2984 wrote to memory of 4552	2984	9FD4AE~1.EXE	svchost.com
PID 2984 wrote to memory of 4552	2984	9FD4AE~1.EXE	svchost.com
PID 2984 wrote to memory of 4552	2984	9FD4AE~1.EXE	svchost.com
PID 4552 wrote to memory of 2496	4552	svchost.com	9FD4AE~1.EXE
PID 4552 wrote to memory of 2496	4552	svchost.com	9FD4AE~1.EXE
PID 4552 wrote to memory of 2496	4552	svchost.com	9FD4AE~1.EXE
PID 2496 wrote to memory of 2092	2496	9FD4AE~1.EXE	svchost.com
PID 2496 wrote to memory of 2092	2496	9FD4AE~1.EXE	svchost.com
PID 2496 wrote to memory of 2092	2496	9FD4AE~1.EXE	svchost.com
PID 2092 wrote to memory of 3184	2092	svchost.com	9FD4AE~1.EXE
PID 2092 wrote to memory of 3184	2092	svchost.com	9FD4AE~1.EXE
PID 2092 wrote to memory of 3184	2092	svchost.com	9FD4AE~1.EXE
PID 3184 wrote to memory of 204	3184	9FD4AE~1.EXE	svchost.com
PID 3184 wrote to memory of 204	3184	9FD4AE~1.EXE	svchost.com
PID 3184 wrote to memory of 204	3184	9FD4AE~1.EXE	svchost.com
PID 204 wrote to memory of 4784	204	svchost.com	9FD4AE~1.EXE
PID 204 wrote to memory of 4784	204	svchost.com	9FD4AE~1.EXE
PID 204 wrote to memory of 4784	204	svchost.com	9FD4AE~1.EXE
PID 4784 wrote to memory of 4832	4784	9FD4AE~1.EXE	svchost.com
PID 4784 wrote to memory of 4832	4784	9FD4AE~1.EXE	svchost.com
PID 4784 wrote to memory of 4832	4784	9FD4AE~1.EXE	svchost.com
PID 4832 wrote to memory of 1508	4832	svchost.com	9FD4AE~1.EXE
PID 4832 wrote to memory of 1508	4832	svchost.com	9FD4AE~1.EXE
PID 4832 wrote to memory of 1508	4832	svchost.com	9FD4AE~1.EXE
PID 1508 wrote to memory of 3144	1508	9FD4AE~1.EXE	svchost.com
PID 1508 wrote to memory of 3144	1508	9FD4AE~1.EXE	svchost.com
PID 1508 wrote to memory of 3144	1508	9FD4AE~1.EXE	svchost.com
PID 3144 wrote to memory of 4964	3144	svchost.com	9FD4AE~1.EXE
PID 3144 wrote to memory of 4964	3144	svchost.com	9FD4AE~1.EXE
PID 3144 wrote to memory of 4964	3144	svchost.com	9FD4AE~1.EXE
PID 4964 wrote to memory of 3996	4964	9FD4AE~1.EXE	svchost.com
PID 4964 wrote to memory of 3996	4964	9FD4AE~1.EXE	svchost.com
PID 4964 wrote to memory of 3996	4964	9FD4AE~1.EXE	svchost.com
PID 3996 wrote to memory of 3872	3996	svchost.com	9FD4AE~1.EXE
PID 3996 wrote to memory of 3872	3996	svchost.com	9FD4AE~1.EXE
PID 3996 wrote to memory of 3872	3996	svchost.com	9FD4AE~1.EXE
PID 3872 wrote to memory of 2252	3872	9FD4AE~1.EXE	svchost.com
PID 3872 wrote to memory of 2252	3872	9FD4AE~1.EXE	svchost.com
PID 3872 wrote to memory of 2252	3872	9FD4AE~1.EXE	svchost.com
PID 2252 wrote to memory of 4608	2252	svchost.com	9FD4AE~1.EXE
PID 2252 wrote to memory of 4608	2252	svchost.com	9FD4AE~1.EXE
PID 2252 wrote to memory of 4608	2252	svchost.com	9FD4AE~1.EXE
PID 4608 wrote to memory of 3616	4608	9FD4AE~1.EXE	svchost.com
PID 4608 wrote to memory of 3616	4608	9FD4AE~1.EXE	svchost.com
PID 4608 wrote to memory of 3616	4608	9FD4AE~1.EXE	svchost.com
PID 3616 wrote to memory of 1100	3616	svchost.com	9FD4AE~1.EXE
PID 3616 wrote to memory of 1100	3616	svchost.com	9FD4AE~1.EXE
PID 3616 wrote to memory of 1100	3616	svchost.com	9FD4AE~1.EXE
PID 1100 wrote to memory of 3320	1100	9FD4AE~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
"C:\Users\Admin\AppData\Local\Temp\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
20⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
23⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
24⤵
- Executes dropped EXE
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
25⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
26⤵
- Executes dropped EXE
PID:3816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
27⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
28⤵
- Executes dropped EXE
- Checks computer location settings
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
29⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
30⤵
- Executes dropped EXE
PID:2172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
31⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
32⤵
- Executes dropped EXE
- Checks computer location settings
PID:5112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
33⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
35⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
36⤵
- Executes dropped EXE
- Modifies registry class
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
37⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
38⤵
- Executes dropped EXE
PID:3084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
39⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
40⤵
- Executes dropped EXE
PID:1432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
41⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
42⤵
- Executes dropped EXE
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
43⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
44⤵
- Executes dropped EXE
PID:2244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
45⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
46⤵
- Executes dropped EXE
PID:3056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
47⤵
- Executes dropped EXE
PID:3660

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
48⤵
- Executes dropped EXE
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
49⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
50⤵
- Executes dropped EXE
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
51⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
52⤵
- Executes dropped EXE
PID:3972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
53⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3716

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
54⤵
- Executes dropped EXE
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
55⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
56⤵
- Executes dropped EXE
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
57⤵
- Executes dropped EXE
PID:3328

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
58⤵
- Executes dropped EXE
- Modifies registry class
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
59⤵
- Executes dropped EXE
PID:612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
60⤵
- Executes dropped EXE
- Checks computer location settings
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
61⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
62⤵
- Executes dropped EXE
- Modifies registry class
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
63⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
64⤵
- Executes dropped EXE
PID:204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
65⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
66⤵
PID:4516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
67⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
68⤵
- Modifies registry class
PID:4480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
69⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
70⤵
PID:1012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
71⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
72⤵
PID:3872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
73⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
74⤵
PID:4512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
75⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
76⤵
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
77⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
78⤵
PID:2388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
79⤵
- Drops file in Windows directory
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
80⤵
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
81⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
82⤵
PID:2756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
83⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
84⤵
PID:3816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
85⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
86⤵
PID:4672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
87⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
88⤵
PID:2088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
89⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
90⤵
PID:4860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
91⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
92⤵
- Drops file in Windows directory
PID:4572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
93⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
94⤵
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
95⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
96⤵
- Checks computer location settings
PID:3292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
97⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
98⤵
PID:3604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
99⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
100⤵
- Checks computer location settings
PID:5096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
101⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
102⤵
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
103⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
104⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
105⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
106⤵
PID:444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
107⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
108⤵
- Checks computer location settings
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
109⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
110⤵
- Modifies registry class
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
111⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
112⤵
PID:4068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
113⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
114⤵
PID:5032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
115⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
116⤵
PID:3716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
117⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
118⤵
PID:4472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
119⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
120⤵
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
121⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
122⤵
- Modifies registry class
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
123⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
124⤵
PID:2044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
125⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
126⤵
PID:260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
127⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
128⤵
PID:2872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
129⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
130⤵
PID:2236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
131⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
132⤵
PID:4224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
133⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
134⤵
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
135⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
136⤵
PID:1268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
137⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
138⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
139⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
140⤵
- Checks computer location settings
PID:3260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
141⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
142⤵
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
143⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
144⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
145⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
146⤵
- Drops file in Windows directory
PID:3408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
147⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
148⤵
- Modifies registry class
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
149⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
150⤵
- Modifies registry class
PID:1248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
151⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
152⤵
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
153⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
154⤵
PID:2476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
155⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
156⤵
PID:3948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
157⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
158⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
159⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
160⤵
PID:3416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
161⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
162⤵
PID:4676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
163⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
164⤵
- Modifies registry class
PID:2244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
165⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
166⤵
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
167⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
168⤵
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
169⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
170⤵
- Modifies registry class
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
171⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
172⤵
PID:5032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
173⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
174⤵
PID:4076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
175⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
176⤵
PID:1812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
177⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
178⤵
PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
179⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
180⤵
PID:3976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
181⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
182⤵
- Modifies registry class
PID:1056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
183⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
184⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
185⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
186⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
187⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
188⤵
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
189⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
190⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
191⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
192⤵
- Modifies registry class
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
193⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
194⤵
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
195⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
196⤵
PID:2788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
197⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
198⤵
PID:3320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
199⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
200⤵
PID:4840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
201⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
202⤵
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
203⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
204⤵
PID:1548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
205⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
206⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
207⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
208⤵
PID:4080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
209⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
210⤵
- Drops file in Windows directory
PID:4616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
211⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
212⤵
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
213⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
214⤵
- Checks computer location settings
PID:3084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
215⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
216⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
217⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
218⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
219⤵
- Drops file in Windows directory
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
220⤵
PID:1492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
221⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
222⤵
- Checks computer location settings
PID:1860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
223⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
224⤵
- Modifies registry class
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
225⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
226⤵
PID:3356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
227⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
228⤵
PID:2468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
229⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
230⤵
PID:2680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
231⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
232⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
233⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
234⤵
PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
235⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
236⤵
PID:3228

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
237⤵
PID:100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
238⤵
- Modifies registry class
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
239⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
240⤵
PID:4488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
241⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
242⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
243⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
244⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
245⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
246⤵
- Checks computer location settings
PID:4480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
247⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
248⤵
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
249⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
250⤵
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
251⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
252⤵
PID:2844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
253⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
254⤵
PID:2788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
255⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
256⤵
PID:3320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
257⤵
- Drops file in Windows directory
PID:1068

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
258⤵
PID:380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
259⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
260⤵
- Checks computer location settings
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
261⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
262⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
263⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
264⤵
- Modifies registry class
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
265⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
266⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
267⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
268⤵
- Checks computer location settings
PID:3948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
269⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
270⤵
- Checks computer location settings
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
271⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
272⤵
PID:3448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
273⤵
- Drops file in Windows directory
PID:2056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
274⤵
PID:1416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
275⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
276⤵
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
277⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
278⤵
PID:536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
279⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
280⤵
PID:4068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
281⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
282⤵
- Modifies registry class
PID:4588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
283⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
284⤵
- Checks computer location settings
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
285⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
286⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
287⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
288⤵
PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
289⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
290⤵
PID:3516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
291⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
292⤵
PID:2092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
293⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
294⤵
PID:3096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
295⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
296⤵
- Checks computer location settings
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
297⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
298⤵
PID:2856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
299⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
300⤵
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
301⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
302⤵
PID:4644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
303⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
304⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
305⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
306⤵
- Modifies registry class
PID:4640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
307⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
308⤵
PID:2284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
309⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
310⤵
- Checks computer location settings
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
311⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
312⤵
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
313⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
314⤵
- Drops file in Windows directory
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
315⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
316⤵
PID:2392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
317⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
318⤵
- Drops file in Windows directory
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
319⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
320⤵
PID:4648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
321⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
322⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
323⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
324⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
325⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
326⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
327⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
328⤵
PID:1688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
329⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
330⤵
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
331⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
332⤵
- Drops file in Windows directory
PID:5000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
333⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
334⤵
PID:3968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
335⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
336⤵
PID:2468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
337⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
338⤵
PID:2680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
339⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
340⤵
PID:772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
341⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
342⤵
- Drops file in Windows directory
PID:2496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
343⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
344⤵
PID:100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
345⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
346⤵
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
347⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
348⤵
PID:5060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
349⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
350⤵
PID:4516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
351⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
352⤵
PID:5080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
353⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
354⤵
- Checks computer location settings
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
355⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
356⤵
PID:1268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
357⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
358⤵
- Modifies registry class
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
359⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
360⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
361⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
362⤵
PID:3164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
363⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
364⤵
- Drops file in Windows directory
PID:2124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
365⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
366⤵
- Modifies registry class
PID:4484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
367⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
368⤵
PID:796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
369⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
370⤵
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
371⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
372⤵
- Checks computer location settings
PID:3960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
373⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
374⤵
- Modifies registry class
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
375⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
376⤵
- Checks computer location settings
PID:4284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
377⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
378⤵
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
379⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
380⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
381⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
382⤵
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
383⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
384⤵
- Modifies registry class
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
385⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
386⤵
PID:4808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
387⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
388⤵
PID:3968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
389⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
390⤵
PID:3396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
391⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
392⤵
PID:2680

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
393⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
394⤵
PID:2808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
395⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
396⤵
- Checks computer location settings
PID:4660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
397⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
398⤵
PID:3568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
399⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
400⤵
PID:4804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
401⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
402⤵
- Checks computer location settings
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
403⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
404⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
405⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
406⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
407⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
408⤵
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
409⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
410⤵
PID:3480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
411⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
412⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
413⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
414⤵
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
415⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
416⤵
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
417⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
418⤵
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
419⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
420⤵
PID:3856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
421⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
422⤵
PID:3368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
423⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
424⤵
PID:4748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
425⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
426⤵
PID:4824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
427⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
428⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
429⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
430⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
431⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
432⤵
PID:3156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
433⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
434⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
435⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
436⤵
- Checks computer location settings
PID:4120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
437⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
438⤵
PID:3648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
439⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
440⤵
PID:1288

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
441⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
442⤵
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
443⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
444⤵
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
445⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
446⤵
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
447⤵
- Drops file in Windows directory
PID:1812

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
448⤵
PID:3328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
449⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
450⤵
- Checks computer location settings
PID:1884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
451⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
452⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
453⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
454⤵
PID:4660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
455⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
456⤵
PID:3568

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
457⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
458⤵
- Checks computer location settings
PID:4804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
459⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
460⤵
PID:4832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
461⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
462⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
463⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
464⤵
PID:756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
465⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
466⤵
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
467⤵
- Drops file in Windows directory
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
468⤵
PID:2272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
469⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
470⤵
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
471⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
472⤵
PID:1460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
473⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
474⤵
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
475⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
476⤵
- Checks computer location settings
PID:904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
477⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
478⤵
PID:3856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
479⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
480⤵
- Drops file in Windows directory
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
481⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
482⤵
PID:388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
483⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
484⤵
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
485⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
486⤵
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
487⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
488⤵
PID:4352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
489⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
490⤵
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
491⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
492⤵
- Drops file in Windows directory
PID:4952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
493⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
494⤵
- Modifies registry class
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
495⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
496⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
497⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
498⤵
PID:2852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
499⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
500⤵
- Modifies registry class
PID:3208

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
501⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
502⤵
PID:4068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
503⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
504⤵
- Modifies registry class
PID:4796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
505⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
506⤵
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
507⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
508⤵
PID:2800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
509⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
510⤵
- Checks computer location settings
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
511⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
512⤵
- Checks computer location settings
PID:4948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
513⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
514⤵
PID:3780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
515⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
516⤵
PID:4064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
517⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
518⤵
PID:3748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
519⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
520⤵
- Modifies registry class
PID:4836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
521⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
522⤵
PID:3996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
523⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
524⤵
PID:3640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
525⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
526⤵
PID:3148

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
527⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
528⤵
PID:2740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
529⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
530⤵
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
531⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
532⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
533⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
534⤵
PID:4032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
535⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
536⤵
- Drops file in Windows directory
PID:1396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
537⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
538⤵
- Checks computer location settings
- Drops file in Windows directory
PID:800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
539⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
540⤵
PID:3368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
541⤵
- Drops file in Windows directory
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
542⤵
PID:4748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
543⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
544⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
545⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
546⤵
- Checks computer location settings
- Modifies registry class
PID:2360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
547⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
548⤵
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
549⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
550⤵
- Checks computer location settings
PID:1432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
551⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
552⤵
PID:3016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
553⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
554⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
555⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
556⤵
PID:3660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
557⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
558⤵
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
559⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
560⤵
PID:4084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
561⤵
- Drops file in Windows directory
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
562⤵
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
563⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
564⤵
- Drops file in Windows directory
- Modifies registry class
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
565⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
566⤵
PID:2068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
567⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
568⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
569⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
570⤵
- Modifies registry class
PID:612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
571⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
572⤵
PID:3312

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
573⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
574⤵
PID:1056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
575⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
576⤵
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
577⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
578⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
579⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
580⤵
PID:2636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
581⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
582⤵
PID:4480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
583⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
584⤵
PID:2052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
585⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
586⤵
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
587⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
588⤵
PID:3472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
589⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
590⤵
PID:2272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
591⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
592⤵
PID:3696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
593⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
594⤵
- Checks computer location settings
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
595⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
596⤵
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
597⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
598⤵
PID:3052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
599⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
600⤵
PID:1612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
601⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
602⤵
PID:4860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
603⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
604⤵
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
605⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
606⤵
PID:1924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
607⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
608⤵
- Drops file in Windows directory
PID:1932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
609⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
610⤵
- Modifies registry class
PID:4648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
611⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
612⤵
- Drops file in Windows directory
- Modifies registry class
PID:2136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
613⤵
- Drops file in Windows directory
PID:3040

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
614⤵
PID:3448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
615⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
616⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
617⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
618⤵
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
619⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
620⤵
PID:2484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
621⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
622⤵
PID:1096

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
623⤵
- Drops file in Windows directory
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
624⤵
PID:4240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
625⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
626⤵
PID:1220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
627⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
628⤵
- Modifies registry class
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
629⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
630⤵
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
631⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
632⤵
PID:2904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
633⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
634⤵
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
635⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
636⤵
PID:3400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
637⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
638⤵
- Modifies registry class
PID:260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
639⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
640⤵
PID:2492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
641⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
642⤵
- Checks computer location settings
PID:4516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
643⤵
- Drops file in Windows directory
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
644⤵
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
645⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
646⤵
PID:3672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
647⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
648⤵
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
649⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
650⤵
- Checks computer location settings
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
651⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
652⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
653⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
654⤵
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
655⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
656⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
657⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
658⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
659⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
660⤵
- Modifies registry class
PID:4560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
661⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
662⤵
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
663⤵
- Drops file in Windows directory
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
664⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
665⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
666⤵
PID:4572

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
667⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
668⤵
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
669⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
670⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
671⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
672⤵
PID:3156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
673⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
674⤵
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
675⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
676⤵
PID:624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
677⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
678⤵
PID:3648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
679⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
680⤵
- Checks computer location settings
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
681⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
682⤵
PID:3356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
683⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
684⤵
- Checks computer location settings
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
685⤵
- Drops file in Windows directory
PID:4180

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
686⤵
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
687⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
688⤵
- Modifies registry class
PID:4220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
689⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
690⤵
PID:1884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
691⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
692⤵
- Drops file in Windows directory
PID:2464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
693⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
694⤵
PID:4948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
695⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
696⤵
PID:3780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
697⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
698⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
699⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
700⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
701⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
702⤵
- Checks computer location settings
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
703⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
704⤵
PID:4876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
705⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
706⤵
PID:4928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
707⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
708⤵
- Modifies registry class
PID:3632

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
709⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
710⤵
PID:3480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
711⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
712⤵
PID:2272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
713⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
714⤵
- Checks computer location settings
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
715⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
716⤵
PID:3212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
717⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
718⤵
PID:4140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
719⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
720⤵
PID:3052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
721⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
722⤵
PID:2088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
723⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
724⤵
PID:664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
725⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
726⤵
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
727⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
728⤵
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
729⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
730⤵
PID:1304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
731⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
732⤵
PID:1828

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
733⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
734⤵
PID:1276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
735⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
736⤵
PID:4088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
737⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
738⤵
PID:624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
739⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
740⤵
PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
741⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
742⤵
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
743⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
744⤵
PID:600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
745⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
746⤵
PID:4656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
747⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
748⤵
PID:2996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
749⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
750⤵
PID:2800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
751⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
752⤵
- Checks computer location settings
PID:3068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
753⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
754⤵
PID:2464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
755⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
756⤵
- Checks computer location settings
PID:4948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
757⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
758⤵
- Drops file in Windows directory
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
759⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
760⤵
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
761⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
762⤵
PID:672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
763⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
764⤵
PID:3144

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
765⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
766⤵
- Checks computer location settings
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
767⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
768⤵
- Checks computer location settings
PID:4944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
769⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
770⤵
PID:3472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
771⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
772⤵
PID:3492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
773⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
774⤵
PID:948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
775⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
776⤵
- Modifies registry class
PID:3320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
777⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
778⤵
- Drops file in Windows directory
- Modifies registry class
PID:1284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
779⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
780⤵
PID:3896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
781⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
782⤵
- Modifies registry class
PID:3900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
783⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
784⤵
- Modifies registry class
PID:4748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
785⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
786⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
787⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
788⤵
PID:4888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
789⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
790⤵
PID:5064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
791⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
792⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
793⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
794⤵
PID:3308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
795⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
796⤵
PID:4752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
797⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
798⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
799⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
800⤵
PID:5092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
801⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
802⤵
PID:3460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
803⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
804⤵
PID:4808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
805⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
806⤵
PID:1316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
807⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
808⤵
PID:3616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
809⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
810⤵
PID:3940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
811⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
812⤵
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
813⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
814⤵
PID:2904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
815⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
816⤵
PID:204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
817⤵
PID:100

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
818⤵
- Modifies registry class
PID:4488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
819⤵
- Drops file in Windows directory
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
820⤵
PID:2872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
821⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
822⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
823⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
824⤵
PID:4476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
825⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
826⤵
PID:4504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
827⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
828⤵
PID:756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
829⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
830⤵
- Drops file in Windows directory
PID:4232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
831⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
832⤵
PID:3172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
833⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
834⤵
PID:3992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
835⤵
- Drops file in Windows directory
PID:2272

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
836⤵
PID:2388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
837⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
838⤵
PID:1864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
839⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
840⤵
- Drops file in Windows directory
PID:2564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
841⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
842⤵
- Drops file in Windows directory
PID:2796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
843⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
844⤵
PID:4520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
845⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
846⤵
PID:1120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
847⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
848⤵
PID:1272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
849⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
850⤵
PID:3524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
851⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
852⤵
PID:1628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
853⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
854⤵
PID:3928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
855⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
856⤵
PID:1340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
857⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
858⤵
PID:3448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
859⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
860⤵
PID:1792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
861⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
862⤵
PID:3100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
863⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
864⤵
PID:3208

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
865⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
866⤵
PID:3036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
867⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
868⤵
PID:1812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
869⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
870⤵
- Modifies registry class
PID:4276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
871⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
872⤵
- Checks computer location settings
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
873⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
874⤵
- Checks computer location settings
PID:3056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
875⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
876⤵
PID:1984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
877⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
878⤵
PID:4800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
879⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
880⤵
PID:4740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
881⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
882⤵
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
883⤵
- Drops file in Windows directory
PID:856

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
884⤵
PID:2856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
885⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
886⤵
PID:4896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
887⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
888⤵
PID:3996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
889⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
890⤵
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
891⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
892⤵
PID:4244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
893⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
894⤵
PID:616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
895⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
896⤵
- Drops file in Windows directory
PID:5084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
897⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
898⤵
PID:1908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
899⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
900⤵
PID:380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
901⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
902⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
903⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
904⤵
- Drops file in Windows directory
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
905⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
906⤵
PID:2816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
907⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
908⤵
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
909⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
910⤵
PID:796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
911⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
912⤵
PID:2008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
913⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
914⤵
- Modifies registry class
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
915⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
916⤵
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
917⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
918⤵
PID:4168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
919⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
920⤵
PID:4120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
921⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
922⤵
- Checks computer location settings
PID:1860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
923⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
924⤵
- Checks computer location settings
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
925⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
926⤵
PID:4776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
927⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
928⤵
- Checks computer location settings
PID:4620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
929⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
930⤵
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
931⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
932⤵
PID:3716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
933⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
934⤵
PID:2424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
935⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
936⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
937⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
938⤵
PID:4048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
939⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
940⤵
PID:5044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
941⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
942⤵
- Modifies registry class
PID:3080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
943⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
944⤵
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
945⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
946⤵
PID:2004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
947⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
948⤵
PID:4996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
949⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
950⤵
PID:4516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
951⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
952⤵
- Modifies registry class
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
953⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
954⤵
PID:952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
955⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
956⤵
- Modifies registry class
PID:4348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
957⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
958⤵
PID:4232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
959⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
960⤵
PID:3172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
961⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
962⤵
PID:3092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
963⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
964⤵
- Checks computer location settings
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
965⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
966⤵
- Modifies registry class
PID:4672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
967⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
968⤵
PID:2304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
969⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
970⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
971⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
972⤵
PID:4484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
973⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
974⤵
- Checks computer location settings
- Modifies registry class
PID:2816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
975⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
976⤵
- Checks computer location settings
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
977⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
978⤵
PID:796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
979⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
980⤵
PID:3692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
981⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
982⤵
- Modifies registry class
PID:3084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
983⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
984⤵
PID:4272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
985⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
986⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
987⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
988⤵
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
989⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
990⤵
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
991⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
992⤵
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
993⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
994⤵
PID:4304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
995⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
996⤵
- Checks computer location settings
PID:4620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
997⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
998⤵
PID:4136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
999⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1000⤵
PID:2276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1001⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1002⤵
- Drops file in Windows directory
PID:2424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1003⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1004⤵
PID:2140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1005⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1006⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1007⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1008⤵
PID:3216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1009⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1010⤵
PID:3484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1011⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1012⤵
PID:1544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1013⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1014⤵
PID:2492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1015⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1016⤵
- Drops file in Windows directory
- Modifies registry class
PID:4116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1017⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1018⤵
PID:4400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1019⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1020⤵
PID:3892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1021⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1022⤵
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE"
1023⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\9FD4AE~1.EXE
1024⤵
- Checks computer location settings
PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9fd4aeaf98697763e5a41bad321c756008bdd4b792c96fcee50dcdda39c0ce9a.exe
Filesize
251KB

MD5
edba213a742aa303e3ca416d2c76335d

SHA1
d9cbf2ff3609cb7231e701d4919a87a86c82b12b

SHA256
573e0203948db6e1c97a91d558812c7fe3793227eeabba09085511b9a2455242

SHA512
9311beb8afe789eb3efe09a0883c9e179edd43e8892afa3aac119646b60aae4df0a33ffd8d86ad97721b26f4f5a882e9d616aeb8ff110917367269cbf53c941b

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
da5fc33c97957a21534f5c18f5d3a2cb

SHA1
e6624206db0856436ba2f291343aa9e8a6eff7eb

SHA256
dce5cff8faa1783dc5deab837170c599a45102c983504c0ee16120913d9e42b3

SHA512
f7c43b3560dad2f8024ec03cbf4e7ae48c45fb7909f7b54c9cd709c9e1a05ffbd528bb3b7fe71bdc3e25d225116c0cb3aa51d3312f074010053672fbea75c834

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
901ebbb6e5e38962842a6a5465c8eacb

SHA1
476a683555e0c93d69e355b2a094543d62e3720d

SHA256
e954779436c74c3a3e3be0b7bb2a0a20a07f9d8b75d2d21decb9c5ebbe6a9a88

SHA512
29ff4ba7cb0bcd0ea65de4d0848966d5b99d181a47ea327a4ff8b87ce7012af0d57c887b50f891c7b50afae6992148a33ec41d70c8e28c120848dfaf770d1473

Download Submit
memory/204-257-0x0000000000000000-mapping.dmp

Download
memory/204-158-0x0000000000000000-mapping.dmp

Download
memory/612-252-0x0000000000000000-mapping.dmp

Download
memory/796-218-0x0000000000000000-mapping.dmp

Download
memory/804-253-0x0000000000000000-mapping.dmp

Download
memory/1056-254-0x0000000000000000-mapping.dmp

Download
memory/1068-210-0x0000000000000000-mapping.dmp

Download
memory/1096-243-0x0000000000000000-mapping.dmp

Download
memory/1100-192-0x0000000000000000-mapping.dmp

Download
memory/1112-236-0x0000000000000000-mapping.dmp

Download
memory/1416-237-0x0000000000000000-mapping.dmp

Download
memory/1432-234-0x0000000000000000-mapping.dmp

Download
memory/1472-242-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1576-212-0x0000000000000000-mapping.dmp

Download
memory/1688-239-0x0000000000000000-mapping.dmp

Download
memory/1812-140-0x0000000000000000-mapping.dmp

Download
memory/1924-224-0x0000000000000000-mapping.dmp

Download
memory/2092-152-0x0000000000000000-mapping.dmp

Download
memory/2140-249-0x0000000000000000-mapping.dmp

Download
memory/2172-216-0x0000000000000000-mapping.dmp

Download
memory/2244-238-0x0000000000000000-mapping.dmp

Download
memory/2252-182-0x0000000000000000-mapping.dmp

Download
memory/2276-138-0x0000000000000000-mapping.dmp

Download
memory/2280-244-0x0000000000000000-mapping.dmp

Download
memory/2496-150-0x0000000000000000-mapping.dmp

Download
memory/2984-144-0x0000000000000000-mapping.dmp

Download
memory/3020-233-0x0000000000000000-mapping.dmp

Download
memory/3056-240-0x0000000000000000-mapping.dmp

Download
memory/3084-232-0x0000000000000000-mapping.dmp

Download
memory/3100-245-0x0000000000000000-mapping.dmp

Download
memory/3144-170-0x0000000000000000-mapping.dmp

Download
memory/3184-156-0x0000000000000000-mapping.dmp

Download
memory/3232-247-0x0000000000000000-mapping.dmp

Download
memory/3292-229-0x0000000000000000-mapping.dmp

Download
memory/3312-251-0x0000000000000000-mapping.dmp

Download
memory/3320-194-0x0000000000000000-mapping.dmp

Download
memory/3328-250-0x0000000000000000-mapping.dmp

Download
memory/3448-235-0x0000000000000000-mapping.dmp

Download
memory/3524-206-0x0000000000000000-mapping.dmp

Download
memory/3568-256-0x0000000000000000-mapping.dmp

Download
memory/3616-188-0x0000000000000000-mapping.dmp

Download
memory/3660-241-0x0000000000000000-mapping.dmp

Download
memory/3716-246-0x0000000000000000-mapping.dmp

Download
memory/3816-204-0x0000000000000000-mapping.dmp

Download
memory/3872-180-0x0000000000000000-mapping.dmp

Download
memory/3996-176-0x0000000000000000-mapping.dmp

Download
memory/4036-200-0x0000000000000000-mapping.dmp

Download
memory/4056-255-0x0000000000000000-mapping.dmp

Download
memory/4076-135-0x0000000000000000-mapping.dmp

Download
memory/4352-231-0x0000000000000000-mapping.dmp

Download
memory/4428-197-0x0000000000000000-mapping.dmp

Download
memory/4456-228-0x0000000000000000-mapping.dmp

Download
memory/4516-259-0x0000000000000000-mapping.dmp

Download
memory/4536-230-0x0000000000000000-mapping.dmp

Download
memory/4552-146-0x0000000000000000-mapping.dmp

Download
memory/4608-186-0x0000000000000000-mapping.dmp

Download
memory/4620-248-0x0000000000000000-mapping.dmp

Download
memory/4784-162-0x0000000000000000-mapping.dmp

Download
memory/4804-258-0x0000000000000000-mapping.dmp

Download
memory/4832-164-0x0000000000000000-mapping.dmp

Download
memory/4964-174-0x0000000000000000-mapping.dmp

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download
memory/5112-222-0x0000000000000000-mapping.dmp

Download