neshta | ed27d8ccdbf541656dcf2b1f7cdb02798264caec3e9b3c03c5bf3c0d89da3479

Analysis

max time kernel
67s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
Size

488KB
MD5

2f7d30492ee67298ec6a5b95a463dcc0
SHA1

537e606f77d472e18a9c7cc4161d408d48d3fa07
SHA256

ed27d8ccdbf541656dcf2b1f7cdb02798264caec3e9b3c03c5bf3c0d89da3479
SHA512

08c500d61ca9a3852af34c95fff1809d6425c160ff764512b8b8458e805a31435b2247d60aa552b79ee1ad288047a668d8401b246ef999368ea2f36a9340e25d
SSDEEP

6144:k9JIVIIIIBIIII+IIIIvIIIItIIIInIIIIbIIIIUIIII9IIIIBIIIIwIIII+IIIt:PkTSJXF16JYIaeFYxQvfe3Qc

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/memory/4616-0-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4616-2-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000800000002326d-6.dat	family_neshta
behavioral2/files/0x0008000000023271-12.dat	family_neshta
behavioral2/memory/556-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2628-31-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1468-36-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1544-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1816-51-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4908-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1044-66-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2884-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1404-72-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2636-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1020-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3632-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4616-104-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5100-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/572-109-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3164-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1752-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4672-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/392-133-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4588-141-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4028-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/8-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3996-157-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4684-165-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4828-175-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1708-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/748-183-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3800-189-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1360-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3732-200-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1144-202-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3432-208-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2464-210-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4976-216-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4564-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4696-224-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1264-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1952-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2740-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1308-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4304-242-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3776-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4764-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3468-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4704-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2924-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/664-266-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1012-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1160-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1568-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3124-282-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4752-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3168-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2172-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3792-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4252-304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/540-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4664-312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2F7D30~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
4168	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
556	svchost.com
2628	2F7D30~1.EXE
440	svchost.com
1468	2F7D30~1.EXE
1544	svchost.com
1816	2F7D30~1.EXE
4908	svchost.com
1044	2F7D30~1.EXE
2884	svchost.com
1404	2F7D30~1.EXE
2636	svchost.com
1020	2F7D30~1.EXE
3032	svchost.com
3632	2F7D30~1.EXE
5100	svchost.com
572	2F7D30~1.EXE
3164	svchost.com
1752	2F7D30~1.EXE
4672	svchost.com
392	2F7D30~1.EXE
4588	svchost.com
4028	2F7D30~1.EXE
8	svchost.com
3996	2F7D30~1.EXE
4684	svchost.com
4828	2F7D30~1.EXE
1708	svchost.com
748	2F7D30~1.EXE
3800	svchost.com
1360	2F7D30~1.EXE
3732	svchost.com
1144	2F7D30~1.EXE
3432	svchost.com
2464	2F7D30~1.EXE
4976	svchost.com
4564	2F7D30~1.EXE
4696	svchost.com
1264	2F7D30~1.EXE
1952	svchost.com
2740	2F7D30~1.EXE
1308	svchost.com
4304	2F7D30~1.EXE
3776	svchost.com
4764	2F7D30~1.EXE
3468	svchost.com
4704	2F7D30~1.EXE
2924	svchost.com
664	2F7D30~1.EXE
1012	svchost.com
1160	2F7D30~1.EXE
1568	svchost.com
3124	2F7D30~1.EXE
4752	svchost.com
3168	2F7D30~1.EXE
2172	svchost.com
3792	2F7D30~1.EXE
4252	svchost.com
540	2F7D30~1.EXE
4664	svchost.com
3032	2F7D30~1.EXE
3340	svchost.com
2788	2F7D30~1.EXE
3084	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2F7D30~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2F7D30~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4168	4616	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 4168	4616	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 4168	4616	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	91
PID 4168 wrote to memory of 556	4168	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	92
PID 4168 wrote to memory of 556	4168	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	92
PID 4168 wrote to memory of 556	4168	2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe	92
PID 556 wrote to memory of 2628	556	svchost.com	93
PID 556 wrote to memory of 2628	556	svchost.com	93
PID 556 wrote to memory of 2628	556	svchost.com	93
PID 2628 wrote to memory of 440	2628	2F7D30~1.EXE	94
PID 2628 wrote to memory of 440	2628	2F7D30~1.EXE	94
PID 2628 wrote to memory of 440	2628	2F7D30~1.EXE	94
PID 440 wrote to memory of 1468	440	svchost.com	95
PID 440 wrote to memory of 1468	440	svchost.com	95
PID 440 wrote to memory of 1468	440	svchost.com	95
PID 1468 wrote to memory of 1544	1468	2F7D30~1.EXE	96
PID 1468 wrote to memory of 1544	1468	2F7D30~1.EXE	96
PID 1468 wrote to memory of 1544	1468	2F7D30~1.EXE	96
PID 1544 wrote to memory of 1816	1544	svchost.com	97
PID 1544 wrote to memory of 1816	1544	svchost.com	97
PID 1544 wrote to memory of 1816	1544	svchost.com	97
PID 1816 wrote to memory of 4908	1816	2F7D30~1.EXE	98
PID 1816 wrote to memory of 4908	1816	2F7D30~1.EXE	98
PID 1816 wrote to memory of 4908	1816	2F7D30~1.EXE	98
PID 4908 wrote to memory of 1044	4908	svchost.com	99
PID 4908 wrote to memory of 1044	4908	svchost.com	99
PID 4908 wrote to memory of 1044	4908	svchost.com	99
PID 1044 wrote to memory of 2884	1044	2F7D30~1.EXE	100
PID 1044 wrote to memory of 2884	1044	2F7D30~1.EXE	100
PID 1044 wrote to memory of 2884	1044	2F7D30~1.EXE	100
PID 2884 wrote to memory of 1404	2884	svchost.com	101
PID 2884 wrote to memory of 1404	2884	svchost.com	101
PID 2884 wrote to memory of 1404	2884	svchost.com	101
PID 1404 wrote to memory of 2636	1404	2F7D30~1.EXE	102
PID 1404 wrote to memory of 2636	1404	2F7D30~1.EXE	102
PID 1404 wrote to memory of 2636	1404	2F7D30~1.EXE	102
PID 2636 wrote to memory of 1020	2636	svchost.com	103
PID 2636 wrote to memory of 1020	2636	svchost.com	103
PID 2636 wrote to memory of 1020	2636	svchost.com	103
PID 1020 wrote to memory of 3032	1020	2F7D30~1.EXE	104
PID 1020 wrote to memory of 3032	1020	2F7D30~1.EXE	104
PID 1020 wrote to memory of 3032	1020	2F7D30~1.EXE	104
PID 3032 wrote to memory of 3632	3032	svchost.com	105
PID 3032 wrote to memory of 3632	3032	svchost.com	105
PID 3032 wrote to memory of 3632	3032	svchost.com	105
PID 3632 wrote to memory of 5100	3632	2F7D30~1.EXE	106
PID 3632 wrote to memory of 5100	3632	2F7D30~1.EXE	106
PID 3632 wrote to memory of 5100	3632	2F7D30~1.EXE	106
PID 5100 wrote to memory of 572	5100	svchost.com	107
PID 5100 wrote to memory of 572	5100	svchost.com	107
PID 5100 wrote to memory of 572	5100	svchost.com	107
PID 572 wrote to memory of 3164	572	2F7D30~1.EXE	108
PID 572 wrote to memory of 3164	572	2F7D30~1.EXE	108
PID 572 wrote to memory of 3164	572	2F7D30~1.EXE	108
PID 3164 wrote to memory of 1752	3164	svchost.com	160
PID 3164 wrote to memory of 1752	3164	svchost.com	160
PID 3164 wrote to memory of 1752	3164	svchost.com	160
PID 1752 wrote to memory of 4672	1752	2F7D30~1.EXE	163
PID 1752 wrote to memory of 4672	1752	2F7D30~1.EXE	163
PID 1752 wrote to memory of 4672	1752	2F7D30~1.EXE	163
PID 4672 wrote to memory of 392	4672	svchost.com	111
PID 4672 wrote to memory of 392	4672	svchost.com	111
PID 4672 wrote to memory of 392	4672	svchost.com	111
PID 392 wrote to memory of 4588	392	2F7D30~1.EXE	112

C:\Users\Admin\AppData\Local\Temp\2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\3582-490\2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        66⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        67⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        68⤵
        Drops file in Windows directory
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        70⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        71⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        72⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        73⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        74⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        75⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        76⤵
        Checks computer location settings
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        77⤵
        Drops file in Windows directory
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        78⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        79⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        81⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        82⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        83⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        86⤵
        
        PID:4556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        87⤵
        Drops file in Windows directory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        90⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        91⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        92⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        93⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        94⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        95⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        96⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        97⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        98⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        101⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        102⤵
        Drops file in Windows directory
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        103⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        104⤵
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        105⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        106⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        107⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        108⤵
        Checks computer location settings
        
        PID:3872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        111⤵
        Drops file in Windows directory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        113⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        114⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        115⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        116⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        118⤵
        Checks computer location settings
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        119⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        121⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        122⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        123⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        124⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        125⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        126⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        127⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        128⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        130⤵
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        132⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        133⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        135⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        136⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        140⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        141⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        142⤵
        Checks computer location settings
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        143⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        144⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        145⤵
        Drops file in Windows directory
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        146⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        148⤵
        Modifies registry class
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        149⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        150⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        151⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        152⤵
        Checks computer location settings
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        153⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        155⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        156⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        157⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        158⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        159⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        160⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        162⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        163⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        165⤵
        Drops file in Windows directory
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        166⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        167⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        169⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        170⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        171⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        172⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        173⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        174⤵
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        175⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        176⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        177⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        178⤵
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        179⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        180⤵
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        181⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        182⤵
        
        PID:3348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        183⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        184⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        185⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        186⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        187⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        188⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        189⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        190⤵
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        191⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        192⤵
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        193⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        194⤵
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        195⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        196⤵
        
        PID:4276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        197⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        198⤵
        
        PID:1412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        199⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        200⤵
        
        PID:4272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        201⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        202⤵
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        203⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        204⤵
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        205⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        206⤵
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        207⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        208⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        209⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        210⤵
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        211⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        212⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        213⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        214⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        215⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        216⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        217⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        218⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        219⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        220⤵
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        221⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        222⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        223⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        224⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        225⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        226⤵
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        227⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        228⤵
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        229⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        230⤵
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        231⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        232⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        233⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        234⤵
        
        PID:3348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        235⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        236⤵
        
        PID:3792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        237⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        238⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        239⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        240⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        241⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        242⤵
        
        PID:3112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        243⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        244⤵
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        245⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        246⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        247⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        248⤵
        
        PID:3300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        249⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        250⤵
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        251⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        252⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        253⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        254⤵
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        255⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        256⤵
        
        PID:332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        257⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        258⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        259⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        260⤵
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        261⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        262⤵
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        263⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        264⤵
        
        PID:1892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        265⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        266⤵
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        267⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        268⤵
        
        PID:3532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        269⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        270⤵
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        271⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        272⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        273⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        274⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        275⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        276⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        277⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        278⤵
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        279⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        280⤵
        
        PID:1440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        281⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        282⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        283⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        284⤵
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        285⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        286⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        287⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        288⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        289⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        290⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        291⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        292⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        293⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        294⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        295⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        296⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        297⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        298⤵
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        299⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        300⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        301⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        302⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        303⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        304⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        305⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        306⤵
        
        PID:1892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        307⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        308⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        309⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        310⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        311⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        312⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        313⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        314⤵
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        315⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        316⤵
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        317⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        318⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        319⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        320⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        321⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        322⤵
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        323⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        324⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        325⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        326⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        327⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        328⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        329⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        330⤵
        
        PID:664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        331⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        332⤵
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        333⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        334⤵
        
        PID:332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        335⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        336⤵
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        337⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        338⤵
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        339⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        340⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        341⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        342⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        343⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        344⤵
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        345⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        346⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        347⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        348⤵
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        349⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        350⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        351⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        352⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        353⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        354⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        355⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        356⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        357⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        358⤵
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        359⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        360⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        361⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        362⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        363⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        364⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        365⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        366⤵
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        367⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        368⤵
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        369⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        370⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        371⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        372⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        373⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        374⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        375⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        376⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        377⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        378⤵
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        379⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        380⤵
        
        PID:4672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        381⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        382⤵
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        383⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        384⤵
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        385⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        386⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        387⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        388⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        389⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        390⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        391⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        392⤵
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        393⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        394⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        395⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        396⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        397⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        398⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        399⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        400⤵
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        401⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        402⤵
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        403⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        404⤵
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        405⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        406⤵
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        407⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        408⤵
        
        PID:4284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        409⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        410⤵
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        411⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        412⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        413⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        414⤵
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        415⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        416⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        417⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        418⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        419⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        420⤵
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        421⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        422⤵
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        423⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        424⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        425⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        426⤵
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        427⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        428⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        429⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        430⤵
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        431⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        432⤵
        
        PID:4388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        433⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        434⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        435⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        436⤵
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        437⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        438⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        439⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        440⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        441⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        442⤵
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        443⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        444⤵
        
        PID:4556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        445⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        446⤵
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        447⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        448⤵
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        449⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        450⤵
        
        PID:3312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        451⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        452⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        453⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        454⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        455⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        456⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        457⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        458⤵
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        459⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        460⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        461⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        462⤵
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        463⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        464⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        465⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        466⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        467⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        468⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        469⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        470⤵
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        471⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        472⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        473⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        474⤵
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        475⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        476⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        477⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        478⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        479⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        480⤵
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        481⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        482⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        483⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        484⤵
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        485⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        486⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        487⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        488⤵
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        489⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        490⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        491⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        492⤵
        
        PID:64
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        493⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        494⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        495⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        496⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        497⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        498⤵
        
        PID:4276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        499⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        500⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        501⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        502⤵
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        503⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        504⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        505⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        506⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        507⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        508⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        509⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        510⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        511⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        512⤵
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        513⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        514⤵
        
        PID:64
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        515⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        516⤵
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        517⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        518⤵
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        519⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        520⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        521⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        522⤵
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        523⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        524⤵
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        525⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        526⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        527⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        528⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        529⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        530⤵
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        531⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        532⤵
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        533⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        534⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        535⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        536⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        537⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        538⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        539⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        540⤵
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        541⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        542⤵
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        543⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        544⤵
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        545⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        546⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        547⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        548⤵
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        549⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        550⤵
        
        PID:952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        551⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        552⤵
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        553⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        554⤵
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        555⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        556⤵
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        557⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        558⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        559⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        560⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        561⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        562⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        563⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        564⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        565⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        566⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        567⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        568⤵
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        569⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        570⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        571⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        572⤵
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        573⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        574⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        575⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        576⤵
        
        PID:3184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        577⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        578⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        579⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        580⤵
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        581⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        582⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        583⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        584⤵
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        585⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        586⤵
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        587⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        588⤵
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        589⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        590⤵
        
        PID:1216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        591⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        592⤵
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        593⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        594⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        595⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        596⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        597⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        598⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        599⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        600⤵
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE"
        601⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\2F7D30~1.EXE
        602⤵
        
        PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4676

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4976

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\2f7d30492ee67298ec6a5b95a463dcc0_NeikiAnalytics.exe

Filesize
448KB

MD5
8ea8a9efc710402475fbb1ca57c29715

SHA1
313c6d75d3a7e73b24757cd6b4e81c1d2e3e0c21

SHA256
04b8200c53a024ac20b3c74148c38d218e444a172ad7ec0965c13729d2e7a188

SHA512
4207695e2ad5b0b20a6e3418f21004ab7c89809c6272eadd10a37b3cd1943a6c3faac899ca66f4f1a365326af8ddabb36c159a9d39de6aa69ea0b3832f1607ab

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
fe0b70446fe7c33b31f048d72fc491b8

SHA1
bda64b376f21f73a0fb37a47a26ff61b516fc9fb

SHA256
2424f2adcf39cfc103aae59b0c10982cb80959b13cd2a1e85478796898dfcc6f

SHA512
5faefaebd20d42f71319121a1fdbcfa8ddc06d5315b6e991b3eea8f14766483eedf9e7ccbec4c8824279c4c91ea9acdbbf6b51c1d73e893ddf78983d7de670f4

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/8-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/392-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/556-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/572-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/664-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1012-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1044-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1144-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1160-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1360-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1404-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1468-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1544-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1568-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2172-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2628-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3124-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3164-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3168-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3468-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3632-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3732-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3776-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3792-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3800-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4252-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4588-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4616-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4616-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4616-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4664-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4672-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-165-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4696-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4752-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4764-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4828-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4908-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads