neshta | 6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d

Analysis

max time kernel
190s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Size

536KB
MD5

3e34aa903d09bd824af20d8e7d16248d
SHA1

c17b17c0dad5afb6a2b2348be4db53fea5ff030c
SHA256

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d
SHA512

fc0805c32d381f4ec0434443f44ac5ace557f96099dabc0c35cc16d21b0daf5665ba058019101eb8adfe4d769d3a3318c971e4b171a740eb533dfd9498e55d4d
SSDEEP

6144:k999eCEB+d9EItun+X461zhWVVDYrEfrzZOIvQoAdOoW1QHYdEPRdWtoyBu99:c5EganW4/Lrzzyp4dEPR0oyB

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 35 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exesvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com

pid	process
3464	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
2156	svchost.com
4532	6319F4~1.EXE
3644	svchost.com
3472	6319F4~1.EXE
2476	svchost.com
1264	6319F4~1.EXE
4360	svchost.com
2652	6319F4~1.EXE
4932	svchost.com
2852	6319F4~1.EXE
3664	svchost.com
4756	6319F4~1.EXE
3424	svchost.com
4432	6319F4~1.EXE
3116	svchost.com
4176	6319F4~1.EXE
4344	svchost.com
2532	6319F4~1.EXE
5064	svchost.com
2692	6319F4~1.EXE
4212	svchost.com
3552	6319F4~1.EXE
2276	svchost.com
1440	6319F4~1.EXE
4408	svchost.com
1672	6319F4~1.EXE
3708	svchost.com
1152	6319F4~1.EXE
4780	svchost.com
3964	6319F4~1.EXE
4792	svchost.com
4712	6319F4~1.EXE
1212	svchost.com
1668	6319F4~1.EXE
1168	svchost.com
1648	6319F4~1.EXE
4008	svchost.com
4028	6319F4~1.EXE
4952	svchost.com
3188	6319F4~1.EXE
1560	svchost.com
940	6319F4~1.EXE
3668	svchost.com
3468	6319F4~1.EXE
1340	svchost.com
3644	6319F4~1.EXE
3768	svchost.com
5100	6319F4~1.EXE
2160	svchost.com
1744	6319F4~1.EXE
4360	svchost.com
1876	6319F4~1.EXE
1520	svchost.com
2640	6319F4~1.EXE
2852	svchost.com
2864	6319F4~1.EXE
5080	svchost.com
5076	6319F4~1.EXE
4340	svchost.com
1008	6319F4~1.EXE
4300	svchost.com
2492	6319F4~1.EXE
3828	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE6319F4~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6319F4~1.EXE

Drops file in Program Files directory 4 IoCs

Processes:

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.com6319F4~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com6319F4~1.EXE6319F4~1.EXE6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.comsvchost.comsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXE6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXE6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXE6319F4~1.EXEsvchost.comsvchost.com6319F4~1.EXE6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com6319F4~1.EXE6319F4~1.EXE6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.comsvchost.com6319F4~1.EXEsvchost.comsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com6319F4~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	6319F4~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	6319F4~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6319F4~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exesvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXEsvchost.com6319F4~1.EXE

description	pid	process	target process
PID 1372 wrote to memory of 3464	1372	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
PID 1372 wrote to memory of 3464	1372	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
PID 1372 wrote to memory of 3464	1372	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
PID 3464 wrote to memory of 2156	3464	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	svchost.com
PID 3464 wrote to memory of 2156	3464	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	svchost.com
PID 3464 wrote to memory of 2156	3464	6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe	svchost.com
PID 2156 wrote to memory of 4532	2156	svchost.com	6319F4~1.EXE
PID 2156 wrote to memory of 4532	2156	svchost.com	6319F4~1.EXE
PID 2156 wrote to memory of 4532	2156	svchost.com	6319F4~1.EXE
PID 4532 wrote to memory of 3644	4532	6319F4~1.EXE	svchost.com
PID 4532 wrote to memory of 3644	4532	6319F4~1.EXE	svchost.com
PID 4532 wrote to memory of 3644	4532	6319F4~1.EXE	svchost.com
PID 3644 wrote to memory of 3472	3644	svchost.com	6319F4~1.EXE
PID 3644 wrote to memory of 3472	3644	svchost.com	6319F4~1.EXE
PID 3644 wrote to memory of 3472	3644	svchost.com	6319F4~1.EXE
PID 3472 wrote to memory of 2476	3472	6319F4~1.EXE	svchost.com
PID 3472 wrote to memory of 2476	3472	6319F4~1.EXE	svchost.com
PID 3472 wrote to memory of 2476	3472	6319F4~1.EXE	svchost.com
PID 2476 wrote to memory of 1264	2476	svchost.com	6319F4~1.EXE
PID 2476 wrote to memory of 1264	2476	svchost.com	6319F4~1.EXE
PID 2476 wrote to memory of 1264	2476	svchost.com	6319F4~1.EXE
PID 1264 wrote to memory of 4360	1264	6319F4~1.EXE	svchost.com
PID 1264 wrote to memory of 4360	1264	6319F4~1.EXE	svchost.com
PID 1264 wrote to memory of 4360	1264	6319F4~1.EXE	svchost.com
PID 4360 wrote to memory of 2652	4360	svchost.com	6319F4~1.EXE
PID 4360 wrote to memory of 2652	4360	svchost.com	6319F4~1.EXE
PID 4360 wrote to memory of 2652	4360	svchost.com	6319F4~1.EXE
PID 2652 wrote to memory of 4932	2652	6319F4~1.EXE	svchost.com
PID 2652 wrote to memory of 4932	2652	6319F4~1.EXE	svchost.com
PID 2652 wrote to memory of 4932	2652	6319F4~1.EXE	svchost.com
PID 4932 wrote to memory of 2852	4932	svchost.com	6319F4~1.EXE
PID 4932 wrote to memory of 2852	4932	svchost.com	6319F4~1.EXE
PID 4932 wrote to memory of 2852	4932	svchost.com	6319F4~1.EXE
PID 2852 wrote to memory of 3664	2852	6319F4~1.EXE	svchost.com
PID 2852 wrote to memory of 3664	2852	6319F4~1.EXE	svchost.com
PID 2852 wrote to memory of 3664	2852	6319F4~1.EXE	svchost.com
PID 3664 wrote to memory of 4756	3664	svchost.com	6319F4~1.EXE
PID 3664 wrote to memory of 4756	3664	svchost.com	6319F4~1.EXE
PID 3664 wrote to memory of 4756	3664	svchost.com	6319F4~1.EXE
PID 4756 wrote to memory of 3424	4756	6319F4~1.EXE	svchost.com
PID 4756 wrote to memory of 3424	4756	6319F4~1.EXE	svchost.com
PID 4756 wrote to memory of 3424	4756	6319F4~1.EXE	svchost.com
PID 3424 wrote to memory of 4432	3424	svchost.com	6319F4~1.EXE
PID 3424 wrote to memory of 4432	3424	svchost.com	6319F4~1.EXE
PID 3424 wrote to memory of 4432	3424	svchost.com	6319F4~1.EXE
PID 4432 wrote to memory of 3116	4432	6319F4~1.EXE	svchost.com
PID 4432 wrote to memory of 3116	4432	6319F4~1.EXE	svchost.com
PID 4432 wrote to memory of 3116	4432	6319F4~1.EXE	svchost.com
PID 3116 wrote to memory of 4176	3116	svchost.com	6319F4~1.EXE
PID 3116 wrote to memory of 4176	3116	svchost.com	6319F4~1.EXE
PID 3116 wrote to memory of 4176	3116	svchost.com	6319F4~1.EXE
PID 4176 wrote to memory of 4344	4176	6319F4~1.EXE	svchost.com
PID 4176 wrote to memory of 4344	4176	6319F4~1.EXE	svchost.com
PID 4176 wrote to memory of 4344	4176	6319F4~1.EXE	svchost.com
PID 4344 wrote to memory of 2532	4344	svchost.com	6319F4~1.EXE
PID 4344 wrote to memory of 2532	4344	svchost.com	6319F4~1.EXE
PID 4344 wrote to memory of 2532	4344	svchost.com	6319F4~1.EXE
PID 2532 wrote to memory of 5064	2532	6319F4~1.EXE	svchost.com
PID 2532 wrote to memory of 5064	2532	6319F4~1.EXE	svchost.com
PID 2532 wrote to memory of 5064	2532	6319F4~1.EXE	svchost.com
PID 5064 wrote to memory of 2692	5064	svchost.com	6319F4~1.EXE
PID 5064 wrote to memory of 2692	5064	svchost.com	6319F4~1.EXE
PID 5064 wrote to memory of 2692	5064	svchost.com	6319F4~1.EXE
PID 2692 wrote to memory of 4212	2692	6319F4~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
"C:\Users\Admin\AppData\Local\Temp\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
23⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
25⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
26⤵
- Executes dropped EXE
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
27⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
28⤵
- Executes dropped EXE
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
29⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3708

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
31⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4780

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
32⤵
- Executes dropped EXE
PID:3964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
33⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
34⤵
- Executes dropped EXE
- Modifies registry class
PID:4712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
35⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
36⤵
- Executes dropped EXE
- Checks computer location settings
PID:1668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
37⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
38⤵
- Executes dropped EXE
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
39⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
40⤵
- Executes dropped EXE
PID:4028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
41⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
42⤵
- Executes dropped EXE
- Modifies registry class
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
43⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
44⤵
- Executes dropped EXE
PID:940

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
45⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
46⤵
- Executes dropped EXE
- Checks computer location settings
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
48⤵
- Executes dropped EXE
PID:3644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
49⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
50⤵
- Executes dropped EXE
PID:5100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
51⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
52⤵
- Executes dropped EXE
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
53⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
54⤵
- Executes dropped EXE
- Checks computer location settings
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
55⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
56⤵
- Executes dropped EXE
- Checks computer location settings
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
57⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
58⤵
- Executes dropped EXE
PID:2864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
59⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
60⤵
- Executes dropped EXE
PID:5076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
61⤵
- Executes dropped EXE
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
62⤵
- Executes dropped EXE
- Modifies registry class
PID:1008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
63⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
64⤵
- Executes dropped EXE
PID:2492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
65⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
66⤵
PID:4412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
67⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
68⤵
- Modifies registry class
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
69⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
70⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
71⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
72⤵
PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
73⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
74⤵
PID:1936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
75⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
76⤵
- Drops file in Windows directory
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
77⤵
- Drops file in Windows directory
PID:4664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
78⤵
- Drops file in Windows directory
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
79⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
80⤵
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
81⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
82⤵
- Modifies registry class
PID:3748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
83⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
84⤵
- Checks computer location settings
- Modifies registry class
PID:5104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
85⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
86⤵
- Modifies registry class
PID:2700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
87⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
88⤵
- Checks computer location settings
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
89⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
90⤵
- Drops file in Windows directory
PID:3564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
91⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
92⤵
PID:3328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
93⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
94⤵
PID:1268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
95⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
96⤵
- Modifies registry class
PID:3452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
97⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
98⤵
PID:4900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
99⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
100⤵
PID:4052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
101⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
102⤵
- Modifies registry class
PID:1264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
103⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
104⤵
PID:4360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
105⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
106⤵
PID:4932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
107⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
108⤵
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
109⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
110⤵
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
111⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
112⤵
PID:1064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
113⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
114⤵
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
115⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
116⤵
PID:2052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
117⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
118⤵
PID:3432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
119⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
120⤵
- Modifies registry class
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
121⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
122⤵
PID:4272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
123⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
124⤵
- Checks computer location settings
- Modifies registry class
PID:3300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
125⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
126⤵
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
127⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
76⤵
- Checks computer location settings
PID:1396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
77⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
78⤵
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
79⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
80⤵
PID:4840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
81⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
82⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
83⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
84⤵
PID:492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
85⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
86⤵
PID:3324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
87⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
88⤵
PID:3060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
89⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
90⤵
- Checks computer location settings
PID:4548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
91⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
92⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
93⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
94⤵
PID:1456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
95⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
96⤵
- Modifies registry class
PID:772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
97⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
98⤵
- Checks computer location settings
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
99⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
100⤵
- Modifies registry class
PID:1864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
101⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
102⤵
PID:4592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
103⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
104⤵
PID:4384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
105⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
106⤵
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
107⤵
- Drops file in Windows directory
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
108⤵
PID:4732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
109⤵
- Drops file in Windows directory
PID:3380

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
110⤵
- Checks computer location settings
- Modifies registry class
PID:2052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
111⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
112⤵
- Checks computer location settings
- Modifies registry class
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
113⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
114⤵
- Checks computer location settings
PID:1420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
115⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
116⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
117⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
118⤵
- Checks computer location settings
PID:364

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
119⤵
- Drops file in Windows directory
PID:2352

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
120⤵
- Checks computer location settings
PID:2716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
121⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
122⤵
PID:2180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
123⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
124⤵
PID:1384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
125⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
126⤵
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
127⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
128⤵
PID:4008

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
129⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
130⤵
PID:4004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
131⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
132⤵
PID:3564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
133⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
134⤵
PID:3820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
135⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
136⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
137⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
138⤵
PID:3284

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
139⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
140⤵
PID:372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
141⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
142⤵
PID:4924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
143⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
144⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
145⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
146⤵
- Checks computer location settings
PID:2788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
147⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
148⤵
- Checks computer location settings
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
149⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
150⤵
PID:4420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
151⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
152⤵
PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
153⤵
- Drops file in Windows directory
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
154⤵
PID:3272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
155⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
156⤵
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
157⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
158⤵
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
159⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
160⤵
PID:4408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
161⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
162⤵
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
163⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
164⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
165⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
166⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4616

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
167⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
168⤵
PID:1168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
169⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
170⤵
- Modifies registry class
PID:2704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
171⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
172⤵
- Modifies registry class
PID:492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
173⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
174⤵
PID:4000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
175⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
176⤵
- Checks computer location settings
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
177⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
178⤵
- Checks computer location settings
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
179⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
180⤵
PID:3772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
181⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
182⤵
PID:3472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
183⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
184⤵
PID:4044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
185⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
186⤵
PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
187⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
188⤵
- Drops file in Windows directory
PID:3396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
189⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
190⤵
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
191⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
192⤵
- Modifies registry class
PID:3316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
193⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
194⤵
- Checks computer location settings
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
195⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
196⤵
- Drops file in Windows directory
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
197⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
198⤵
PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
199⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
200⤵
PID:3272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
201⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
202⤵
- Checks computer location settings
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
203⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
204⤵
- Modifies registry class
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
205⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
206⤵
- Checks computer location settings
- Modifies registry class
PID:4408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
207⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
208⤵
PID:804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
209⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
210⤵
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
211⤵
- Drops file in Windows directory
PID:4876

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
212⤵
PID:1644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
213⤵
- Drops file in Windows directory
PID:3976

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
214⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
215⤵
- Drops file in Windows directory
PID:2784

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
216⤵
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
217⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
218⤵
- Modifies registry class
PID:1012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
219⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
220⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
221⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
222⤵
PID:3060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
223⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
224⤵
- Modifies registry class
PID:4548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
225⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
226⤵
PID:3468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
227⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
228⤵
PID:4820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
229⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
230⤵
- Checks computer location settings
- Modifies registry class
PID:5060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
231⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
232⤵
PID:2300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
233⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
234⤵
- Checks computer location settings
- Modifies registry class
PID:4932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
235⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
236⤵
PID:4780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
237⤵
- Drops file in Windows directory
PID:3592

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
238⤵
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
239⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
240⤵
- Modifies registry class
PID:4968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
241⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
242⤵
- Checks computer location settings
PID:4708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
243⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
244⤵
- Checks computer location settings
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
245⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
246⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
247⤵
- Drops file in Windows directory
PID:4424

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
248⤵
- Checks computer location settings
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
249⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
250⤵
- Checks computer location settings
PID:744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
251⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
252⤵
PID:2856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
253⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
254⤵
- Checks computer location settings
PID:4076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
255⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
256⤵
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
257⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
258⤵
- Checks computer location settings
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
259⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
260⤵
- Modifies registry class
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
261⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
262⤵
PID:4328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
263⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
264⤵
PID:4820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
265⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
266⤵
- Checks computer location settings
- Modifies registry class
PID:1304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
267⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
268⤵
PID:4824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
269⤵
- Drops file in Windows directory
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
270⤵
PID:4728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
271⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
272⤵
- Checks computer location settings
- Modifies registry class
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
273⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
274⤵
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
275⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
276⤵
PID:3428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
277⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
278⤵
PID:3780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
279⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
280⤵
- Modifies registry class
PID:1156

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
281⤵
- Drops file in Windows directory
PID:4964

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
282⤵
PID:3884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
283⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
284⤵
PID:1328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
285⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
206⤵
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
207⤵
- Drops file in Windows directory
PID:3708

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
208⤵
- Checks computer location settings
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
209⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
210⤵
- Checks computer location settings
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
211⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
212⤵
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
213⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
214⤵
- Drops file in Windows directory
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
215⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
216⤵
PID:2328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
217⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
218⤵
- Modifies registry class
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
219⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
220⤵
- Drops file in Windows directory
PID:3016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
221⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
222⤵
PID:4884

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
223⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
224⤵
- Modifies registry class
PID:4532

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
225⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
226⤵
PID:4900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
227⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
228⤵
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
229⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
230⤵
- Checks computer location settings
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
231⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
147⤵
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
148⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
149⤵
- Drops file in Windows directory
PID:4592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
150⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
151⤵
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
152⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
153⤵
- Drops file in Windows directory
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
154⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
155⤵
- Checks computer location settings
- Modifies registry class
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
156⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
157⤵
- Modifies registry class
PID:1336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
158⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
159⤵
- Checks computer location settings
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
160⤵
- Drops file in Windows directory
PID:3172

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
161⤵
- Checks computer location settings
PID:3300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
162⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
163⤵
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
164⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
165⤵
PID:1152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
166⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
167⤵
- Checks computer location settings
PID:1396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
168⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
169⤵
- Modifies registry class
PID:1224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
170⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
171⤵
PID:5036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
172⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
173⤵
- Modifies registry class
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
174⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
175⤵
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
176⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
177⤵
PID:4840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
178⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
179⤵
PID:3836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
180⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
181⤵
- Drops file in Windows directory
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
182⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
183⤵
PID:1300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
184⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
185⤵
PID:1052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
186⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
187⤵
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
188⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
189⤵
- Drops file in Windows directory
PID:548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
190⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
191⤵
PID:4308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
192⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
193⤵
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
194⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
195⤵
PID:2340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
196⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
197⤵
- Checks computer location settings
PID:2500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
198⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
199⤵
- Checks computer location settings
PID:5020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
200⤵
- Drops file in Windows directory
PID:1716

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
201⤵
- Checks computer location settings
PID:1192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
202⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
203⤵
PID:4968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
204⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
205⤵
PID:4708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
206⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
207⤵
PID:4596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
208⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
209⤵
- Checks computer location settings
PID:2460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
210⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
211⤵
PID:2912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
212⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
213⤵
PID:4324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
214⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
215⤵
- Modifies registry class
PID:2352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
216⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
217⤵
PID:740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
218⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
219⤵
PID:2592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
220⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
221⤵
PID:3236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
222⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
223⤵
PID:392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
224⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
225⤵
PID:4972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
226⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
227⤵
PID:4104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
228⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
229⤵
- Checks computer location settings
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
230⤵
- Drops file in Windows directory
PID:2800

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
231⤵
- Checks computer location settings
- Modifies registry class
PID:3676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
232⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
233⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
234⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
235⤵
PID:2476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
236⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
237⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:5012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
238⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
239⤵
PID:4980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
240⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
241⤵
PID:2348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
242⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
243⤵
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
244⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
245⤵
- Drops file in Windows directory
PID:2300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
246⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
247⤵
- Drops file in Windows directory
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
248⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
249⤵
- Checks computer location settings
- Modifies registry class
PID:1064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
250⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
251⤵
- Modifies registry class
PID:1716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
252⤵
- Drops file in Windows directory
PID:4344

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
253⤵
PID:2692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
254⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
255⤵
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
256⤵
- Drops file in Windows directory
PID:4708

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
257⤵
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
258⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
259⤵
- Drops file in Windows directory
- Modifies registry class
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
260⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
261⤵
- Modifies registry class
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
262⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
263⤵
PID:1164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
264⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
265⤵
- Checks computer location settings
PID:1452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
266⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
267⤵
- Drops file in Windows directory
PID:1476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
268⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
269⤵
PID:2720

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
270⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
271⤵
- Checks computer location settings
PID:1060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
272⤵
- Drops file in Windows directory
PID:1564

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
273⤵
PID:5108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
274⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
275⤵
PID:4908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
276⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
277⤵
PID:3368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
278⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
279⤵
PID:4012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
280⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
281⤵
PID:5088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
282⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
283⤵
PID:3676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
284⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
285⤵
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
286⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
287⤵
- Modifies registry class
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
288⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
289⤵
- Modifies registry class
PID:2272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
290⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
291⤵
- Modifies registry class
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
292⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
293⤵
PID:1864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
294⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
295⤵
- Checks computer location settings
PID:2640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
296⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
297⤵
PID:4112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
298⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
299⤵
PID:4320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
300⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
301⤵
PID:3432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
302⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
303⤵
- Drops file in Windows directory
- Modifies registry class
PID:1600

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
304⤵
- Drops file in Windows directory
PID:3696

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
305⤵
- Modifies registry class
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
306⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
307⤵
- Checks computer location settings
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
308⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
309⤵
- Checks computer location settings
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
310⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
311⤵
- Drops file in Windows directory
PID:1824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
312⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
313⤵
- Checks computer location settings
PID:2848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
314⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
315⤵
- Drops file in Windows directory
PID:3200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
316⤵
- Drops file in Windows directory
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
317⤵
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
318⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
319⤵
- Modifies registry class
PID:3988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
320⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
321⤵
PID:400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
322⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
323⤵
PID:4892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
324⤵
- Drops file in Windows directory
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
325⤵
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
326⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
327⤵
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
328⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
329⤵
PID:4452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
330⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
331⤵
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
332⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
333⤵
PID:2676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
334⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
335⤵
PID:3504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
336⤵
- Drops file in Windows directory
PID:3116

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
337⤵
PID:2500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
338⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
339⤵
- Drops file in Windows directory
PID:2200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
340⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
341⤵
- Checks computer location settings
PID:4688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
342⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
343⤵
PID:4732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
344⤵
- Drops file in Windows directory
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
345⤵
- Modifies registry class
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
346⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
1⤵
- Checks computer location settings
PID:4524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
2⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
3⤵
PID:2460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
4⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
5⤵
- Modifies registry class
PID:2912

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
6⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
7⤵
PID:2020

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
8⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
9⤵
PID:1152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
10⤵
- Drops file in Windows directory
PID:2244

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
11⤵
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
12⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
13⤵
PID:4076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
14⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
15⤵
PID:1060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
16⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
17⤵
- Checks computer location settings
- Modifies registry class
PID:5108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
18⤵
- Drops file in Windows directory
PID:2780

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
19⤵
PID:2328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
20⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
21⤵
PID:1012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
22⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
23⤵
PID:3704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
24⤵
- Drops file in Windows directory
PID:4884

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
25⤵
- Drops file in Windows directory
PID:3188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
26⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
27⤵
PID:1768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
28⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
29⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
30⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
31⤵
- Modifies registry class
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
32⤵
- Drops file in Windows directory
PID:2096

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
33⤵
- Modifies registry class
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
34⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
35⤵
PID:2348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
36⤵
- Drops file in Windows directory
PID:3116

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
37⤵
- Modifies registry class
PID:4384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
38⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
39⤵
- Checks computer location settings
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
40⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
41⤵
- Checks computer location settings
PID:4528

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
42⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
43⤵
- Drops file in Windows directory
PID:3984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
44⤵
- Drops file in Windows directory
PID:4732

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
45⤵
- Modifies registry class
PID:4224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
46⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
47⤵
PID:3152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
48⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
49⤵
- Checks computer location settings
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
50⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
51⤵
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
52⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
53⤵
- Checks computer location settings
PID:2316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
54⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
55⤵
PID:3224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
56⤵
- Drops file in Windows directory
PID:3964

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
57⤵
- Modifies registry class
PID:3768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
58⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
59⤵
- Drops file in Windows directory
- Modifies registry class
PID:1224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
60⤵
- Drops file in Windows directory
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
61⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
62⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
63⤵
PID:3932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
64⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE
65⤵
- Checks computer location settings
PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\6319F4~1.EXE"
66⤵
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6319f48483e5d3ad1acb1efda81d0f6b30ff528b9eee623e8f3a0f8fc5bd321d.exe
Filesize
495KB

MD5
22ad10bc96c72e6fdd5b4c9dd93e78f9

SHA1
f4134524ce52ece2c3a95f0d92d472009b67e4c0

SHA256
099beaf89141b8e0f6f371983e4e57868519269c90b62ae90de41da38dda881f

SHA512
b3cb53c8e8e28ee0ac4951e76043dd8d5139a6c190cc090491a6ecff879d9259045d1b332c6b54bb40a41be1035cad1a5349ded0b2fef74c38c52ac39a02c6b3

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
8f14a584fb7d575bd2ac634ece3d15b1

SHA1
afea239e8be65e5aff4da495fa64d03b696a3cfe

SHA256
ea6e578b43738d20bf0659c565f05c992e9b14457ca80214e0eb346666164014

SHA512
d64f35ccbc505990cbe0e406b27e7dbcc4786f92f1cae14f09f6b2524818bd3a3a4293b90789554e02802d3127d2eb337d2fd212a51384866e5b25a6e898675c

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
00ebd990288cb01666eeff2e1161e223

SHA1
260456b8b545a3656e0e736df4110a6e718ac70c

SHA256
1983ac75b68e7b8f40454a516943702508e748adc68f6fcdc8ff32dadbbbffe9

SHA512
438d0db21a54d7394784495f7fd0d83b75ced5083640b8079eb3b63af2163a64b96e741bc173f4a1202043a3b5dd52f8a14f622f5400c46c3fe45654d79fd7c7

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/940-238-0x0000000000000000-mapping.dmp

Download
memory/1008-256-0x0000000000000000-mapping.dmp

Download
memory/1152-217-0x0000000000000000-mapping.dmp

Download
memory/1168-231-0x0000000000000000-mapping.dmp

Download
memory/1212-229-0x0000000000000000-mapping.dmp

Download
memory/1264-150-0x0000000000000000-mapping.dmp

Download
memory/1340-241-0x0000000000000000-mapping.dmp

Download
memory/1440-205-0x0000000000000000-mapping.dmp

Download
memory/1520-249-0x0000000000000000-mapping.dmp

Download
memory/1560-237-0x0000000000000000-mapping.dmp

Download
memory/1648-232-0x0000000000000000-mapping.dmp

Download
memory/1668-230-0x0000000000000000-mapping.dmp

Download
memory/1672-211-0x0000000000000000-mapping.dmp

Download
memory/1744-246-0x0000000000000000-mapping.dmp

Download
memory/1876-248-0x0000000000000000-mapping.dmp

Download
memory/2156-135-0x0000000000000000-mapping.dmp

Download
memory/2160-245-0x0000000000000000-mapping.dmp

Download
memory/2276-201-0x0000000000000000-mapping.dmp

Download
memory/2476-147-0x0000000000000000-mapping.dmp

Download
memory/2492-258-0x0000000000000000-mapping.dmp

Download
memory/2532-187-0x0000000000000000-mapping.dmp

Download
memory/2640-250-0x0000000000000000-mapping.dmp

Download
memory/2652-156-0x0000000000000000-mapping.dmp

Download
memory/2692-193-0x0000000000000000-mapping.dmp

Download
memory/2852-251-0x0000000000000000-mapping.dmp

Download
memory/2852-163-0x0000000000000000-mapping.dmp

Download
memory/2864-252-0x0000000000000000-mapping.dmp

Download
memory/3116-177-0x0000000000000000-mapping.dmp

Download
memory/3188-236-0x0000000000000000-mapping.dmp

Download
memory/3424-171-0x0000000000000000-mapping.dmp

Download
memory/3464-132-0x0000000000000000-mapping.dmp

Download
memory/3468-240-0x0000000000000000-mapping.dmp

Download
memory/3472-145-0x0000000000000000-mapping.dmp

Download
memory/3552-199-0x0000000000000000-mapping.dmp

Download
memory/3644-242-0x0000000000000000-mapping.dmp

Download
memory/3644-141-0x0000000000000000-mapping.dmp

Download
memory/3664-165-0x0000000000000000-mapping.dmp

Download
memory/3668-239-0x0000000000000000-mapping.dmp

Download
memory/3708-213-0x0000000000000000-mapping.dmp

Download
memory/3768-243-0x0000000000000000-mapping.dmp

Download
memory/3828-259-0x0000000000000000-mapping.dmp

Download
memory/3964-223-0x0000000000000000-mapping.dmp

Download
memory/4008-233-0x0000000000000000-mapping.dmp

Download
memory/4028-234-0x0000000000000000-mapping.dmp

Download
memory/4176-181-0x0000000000000000-mapping.dmp

Download
memory/4212-195-0x0000000000000000-mapping.dmp

Download
memory/4300-257-0x0000000000000000-mapping.dmp

Download
memory/4340-255-0x0000000000000000-mapping.dmp

Download
memory/4344-183-0x0000000000000000-mapping.dmp

Download
memory/4360-247-0x0000000000000000-mapping.dmp

Download
memory/4360-153-0x0000000000000000-mapping.dmp

Download
memory/4408-207-0x0000000000000000-mapping.dmp

Download
memory/4432-175-0x0000000000000000-mapping.dmp

Download
memory/4532-139-0x0000000000000000-mapping.dmp

Download
memory/4712-228-0x0000000000000000-mapping.dmp

Download
memory/4756-169-0x0000000000000000-mapping.dmp

Download
memory/4780-219-0x0000000000000000-mapping.dmp

Download
memory/4792-225-0x0000000000000000-mapping.dmp

Download
memory/4932-159-0x0000000000000000-mapping.dmp

Download
memory/4952-235-0x0000000000000000-mapping.dmp

Download
memory/5064-189-0x0000000000000000-mapping.dmp

Download
memory/5076-254-0x0000000000000000-mapping.dmp

Download
memory/5080-253-0x0000000000000000-mapping.dmp

Download
memory/5100-244-0x0000000000000000-mapping.dmp

Download