neshta | fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316

Analysis

max time kernel
140s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
Size

331KB
MD5

06a1ff466c12643060a9378cd51ca7c0
SHA1

d89c51b158fa2a67eaeb0111456292e6a6f73a89
SHA256

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316
SHA512

73b2c7a01e55d3b1df03b7f36c04f4cc1e233a180a4369cbb69f7ca73c5a00120b4230980b0fd9ab0cd4ac565bc6dff8194482dbb3b1e3d501a2362469b279d1
SSDEEP

6144:k9ZiIeqZUKRm1J0XhWqoDTUvaBMifp2BRvEmE9:UiIeNWiJ0XhWl0vKTiRvEm

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 45 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exesvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.com

pid	process
4576	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
4684	svchost.com
3596	FCFEA3~1.EXE
1036	svchost.com
32	FCFEA3~1.EXE
780	svchost.com
3996	FCFEA3~1.EXE
2728	svchost.com
2820	FCFEA3~1.EXE
2264	svchost.com
4776	FCFEA3~1.EXE
4300	svchost.com
2304	FCFEA3~1.EXE
3324	svchost.com
5108	FCFEA3~1.EXE
4948	svchost.com
3472	FCFEA3~1.EXE
2192	svchost.com
3132	FCFEA3~1.EXE
4584	svchost.com
4892	FCFEA3~1.EXE
4256	svchost.com
4580	FCFEA3~1.EXE
3016	svchost.com
2344	FCFEA3~1.EXE
3668	svchost.com
1320	FCFEA3~1.EXE
3436	svchost.com
3052	FCFEA3~1.EXE
3620	svchost.com
3580	FCFEA3~1.EXE
732	svchost.com
1776	FCFEA3~1.EXE
4876	svchost.com
2804	FCFEA3~1.EXE
3188	svchost.com
1700	FCFEA3~1.EXE
4684	svchost.com
3588	FCFEA3~1.EXE
220	svchost.com
4864	FCFEA3~1.EXE
228	svchost.com
3084	FCFEA3~1.EXE
4436	svchost.com
4752	FCFEA3~1.EXE
3852	svchost.com
2728	FCFEA3~1.EXE
1984	svchost.com
4812	FCFEA3~1.EXE
1396	svchost.com
3232	FCFEA3~1.EXE
2816	svchost.com
1588	FCFEA3~1.EXE
1340	svchost.com
1676	FCFEA3~1.EXE
3728	svchost.com
2380	FCFEA3~1.EXE
4904	svchost.com
4200	FCFEA3~1.EXE
2992	svchost.com
1836	FCFEA3~1.EXE
4116	svchost.com
2940	FCFEA3~1.EXE
1248	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEfcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FCFEA3~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exefcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Drops file in Windows directory 64 IoCs

Processes:

FCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comsvchost.comFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comsvchost.comFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEFCFEA3~1.EXEsvchost.comsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comFCFEA3~1.EXEsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FCFEA3~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ = "IAgentExt"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\CLSID	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\LocalServer32	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\ProxyStubClsid32	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCommands"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputPropertiesEx"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\TreatAs	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0\win32	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\FLAGS	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0"	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	FCFEA3~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib	FCFEA3~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exefcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exesvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXEsvchost.comFCFEA3~1.EXE

description	pid	process	target process
PID 3276 wrote to memory of 4576	3276	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
PID 3276 wrote to memory of 4576	3276	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
PID 3276 wrote to memory of 4576	3276	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
PID 4576 wrote to memory of 4684	4576	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	svchost.com
PID 4576 wrote to memory of 4684	4576	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	svchost.com
PID 4576 wrote to memory of 4684	4576	fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe	svchost.com
PID 4684 wrote to memory of 3596	4684	svchost.com	FCFEA3~1.EXE
PID 4684 wrote to memory of 3596	4684	svchost.com	FCFEA3~1.EXE
PID 4684 wrote to memory of 3596	4684	svchost.com	FCFEA3~1.EXE
PID 3596 wrote to memory of 1036	3596	FCFEA3~1.EXE	svchost.com
PID 3596 wrote to memory of 1036	3596	FCFEA3~1.EXE	svchost.com
PID 3596 wrote to memory of 1036	3596	FCFEA3~1.EXE	svchost.com
PID 1036 wrote to memory of 32	1036	svchost.com	FCFEA3~1.EXE
PID 1036 wrote to memory of 32	1036	svchost.com	FCFEA3~1.EXE
PID 1036 wrote to memory of 32	1036	svchost.com	FCFEA3~1.EXE
PID 32 wrote to memory of 780	32	FCFEA3~1.EXE	svchost.com
PID 32 wrote to memory of 780	32	FCFEA3~1.EXE	svchost.com
PID 32 wrote to memory of 780	32	FCFEA3~1.EXE	svchost.com
PID 780 wrote to memory of 3996	780	svchost.com	FCFEA3~1.EXE
PID 780 wrote to memory of 3996	780	svchost.com	FCFEA3~1.EXE
PID 780 wrote to memory of 3996	780	svchost.com	FCFEA3~1.EXE
PID 3996 wrote to memory of 2728	3996	FCFEA3~1.EXE	svchost.com
PID 3996 wrote to memory of 2728	3996	FCFEA3~1.EXE	svchost.com
PID 3996 wrote to memory of 2728	3996	FCFEA3~1.EXE	svchost.com
PID 2728 wrote to memory of 2820	2728	svchost.com	FCFEA3~1.EXE
PID 2728 wrote to memory of 2820	2728	svchost.com	FCFEA3~1.EXE
PID 2728 wrote to memory of 2820	2728	svchost.com	FCFEA3~1.EXE
PID 2820 wrote to memory of 2264	2820	FCFEA3~1.EXE	svchost.com
PID 2820 wrote to memory of 2264	2820	FCFEA3~1.EXE	svchost.com
PID 2820 wrote to memory of 2264	2820	FCFEA3~1.EXE	svchost.com
PID 2264 wrote to memory of 4776	2264	svchost.com	FCFEA3~1.EXE
PID 2264 wrote to memory of 4776	2264	svchost.com	FCFEA3~1.EXE
PID 2264 wrote to memory of 4776	2264	svchost.com	FCFEA3~1.EXE
PID 4776 wrote to memory of 4300	4776	FCFEA3~1.EXE	svchost.com
PID 4776 wrote to memory of 4300	4776	FCFEA3~1.EXE	svchost.com
PID 4776 wrote to memory of 4300	4776	FCFEA3~1.EXE	svchost.com
PID 4300 wrote to memory of 2304	4300	svchost.com	FCFEA3~1.EXE
PID 4300 wrote to memory of 2304	4300	svchost.com	FCFEA3~1.EXE
PID 4300 wrote to memory of 2304	4300	svchost.com	FCFEA3~1.EXE
PID 2304 wrote to memory of 3324	2304	FCFEA3~1.EXE	svchost.com
PID 2304 wrote to memory of 3324	2304	FCFEA3~1.EXE	svchost.com
PID 2304 wrote to memory of 3324	2304	FCFEA3~1.EXE	svchost.com
PID 3324 wrote to memory of 5108	3324	svchost.com	FCFEA3~1.EXE
PID 3324 wrote to memory of 5108	3324	svchost.com	FCFEA3~1.EXE
PID 3324 wrote to memory of 5108	3324	svchost.com	FCFEA3~1.EXE
PID 5108 wrote to memory of 4948	5108	FCFEA3~1.EXE	svchost.com
PID 5108 wrote to memory of 4948	5108	FCFEA3~1.EXE	svchost.com
PID 5108 wrote to memory of 4948	5108	FCFEA3~1.EXE	svchost.com
PID 4948 wrote to memory of 3472	4948	svchost.com	FCFEA3~1.EXE
PID 4948 wrote to memory of 3472	4948	svchost.com	FCFEA3~1.EXE
PID 4948 wrote to memory of 3472	4948	svchost.com	FCFEA3~1.EXE
PID 3472 wrote to memory of 2192	3472	FCFEA3~1.EXE	svchost.com
PID 3472 wrote to memory of 2192	3472	FCFEA3~1.EXE	svchost.com
PID 3472 wrote to memory of 2192	3472	FCFEA3~1.EXE	svchost.com
PID 2192 wrote to memory of 3132	2192	svchost.com	FCFEA3~1.EXE
PID 2192 wrote to memory of 3132	2192	svchost.com	FCFEA3~1.EXE
PID 2192 wrote to memory of 3132	2192	svchost.com	FCFEA3~1.EXE
PID 3132 wrote to memory of 4584	3132	FCFEA3~1.EXE	svchost.com
PID 3132 wrote to memory of 4584	3132	FCFEA3~1.EXE	svchost.com
PID 3132 wrote to memory of 4584	3132	FCFEA3~1.EXE	svchost.com
PID 4584 wrote to memory of 4892	4584	svchost.com	FCFEA3~1.EXE
PID 4584 wrote to memory of 4892	4584	svchost.com	FCFEA3~1.EXE
PID 4584 wrote to memory of 4892	4584	svchost.com	FCFEA3~1.EXE
PID 4892 wrote to memory of 4256	4892	FCFEA3~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
"C:\Users\Admin\AppData\Local\Temp\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        30⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        32⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        46⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        50⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        62⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        64⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        66⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        67⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        68⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        70⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        71⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        72⤵
        Modifies registry class
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        73⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        74⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        75⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        76⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        77⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        78⤵
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        79⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        80⤵
        Checks computer location settings
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        81⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        82⤵
        Checks computer location settings
        
        PID:456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        83⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        84⤵
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        85⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        86⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        87⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        88⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        89⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        90⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        91⤵
        Drops file in Windows directory
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        92⤵
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        93⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        94⤵
        Checks computer location settings
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        95⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        96⤵
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        97⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        98⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        99⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        100⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        101⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        102⤵
        
        PID:4116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        104⤵
        Drops file in Windows directory
        
        PID:736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        105⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        106⤵
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        107⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        108⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        109⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        110⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        111⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        112⤵
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        113⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        114⤵
        Checks computer location settings
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        115⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        116⤵
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        118⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        119⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        120⤵
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        121⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        122⤵
        Drops file in Windows directory
        
        PID:2456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        123⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        124⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        125⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        126⤵
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        127⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        128⤵
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        129⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        130⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        131⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        132⤵
        Modifies registry class
        
        PID:4612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        133⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        134⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        135⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        136⤵
        Checks computer location settings
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        137⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        138⤵
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        140⤵
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        141⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        142⤵
        Checks computer location settings
        
        PID:4116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        143⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        144⤵
        Modifies registry class
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        145⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        146⤵
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        147⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        148⤵
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        150⤵
        Checks computer location settings
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        151⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        152⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        153⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        154⤵
        Checks computer location settings
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        155⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        156⤵
        Checks computer location settings
        
        PID:3376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        157⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        158⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        160⤵
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        162⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        163⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        164⤵
        
        PID:4436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        165⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        166⤵
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        168⤵
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        169⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        170⤵
        Drops file in Windows directory
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        171⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        172⤵
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        173⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        174⤵
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        175⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        176⤵
        Drops file in Windows directory
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        177⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        178⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        179⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        180⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        181⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        182⤵
        Checks computer location settings
        
        PID:492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        183⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        184⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        185⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        186⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        187⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        188⤵
        Checks computer location settings
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        189⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        190⤵
        Checks computer location settings
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        191⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        192⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        193⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        194⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        195⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        196⤵
        Checks computer location settings
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        197⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        198⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        199⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        200⤵
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        201⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        202⤵
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        203⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        204⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        205⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        206⤵
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        207⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        208⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        209⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        210⤵
        
        PID:4832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        211⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        212⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        213⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        214⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        215⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        216⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        217⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        219⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        220⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        221⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        222⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        223⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        224⤵
        Checks computer location settings
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        225⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        226⤵
        Modifies registry class
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        227⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        228⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        229⤵
        Drops file in Windows directory
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        230⤵
        Modifies registry class
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        231⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        232⤵
        Drops file in Windows directory
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        233⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        234⤵
        
        PID:3516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        235⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        236⤵
        Checks computer location settings
        
        PID:3520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        237⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        238⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        239⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        240⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        241⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        242⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        243⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        244⤵
        
        PID:3500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        245⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        246⤵
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        248⤵
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        249⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        250⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        251⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        252⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        253⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        254⤵
        Checks computer location settings
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        255⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        256⤵
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        257⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        258⤵
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        259⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        260⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        261⤵
        Drops file in Windows directory
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        262⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        263⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        264⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        265⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        266⤵
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        267⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        268⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        269⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        270⤵
        Drops file in Windows directory
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        271⤵
        Drops file in Windows directory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        272⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        273⤵
        Drops file in Windows directory
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        274⤵
        Checks computer location settings
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        275⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        276⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        277⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        278⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:4248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        281⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        282⤵
        Checks computer location settings
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        283⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        284⤵
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        285⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        286⤵
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        287⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        288⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        289⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        290⤵
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        291⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        292⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        293⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        294⤵
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        295⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        296⤵
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        297⤵
        Drops file in Windows directory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        298⤵
        Checks computer location settings
        Modifies registry class
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        299⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        300⤵
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        301⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        302⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        303⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        304⤵
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        305⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        306⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        307⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        308⤵
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        309⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        310⤵
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        311⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        312⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        313⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        314⤵
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        315⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        316⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        317⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        318⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        319⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        320⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        321⤵
        Drops file in Windows directory
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        322⤵
        Checks computer location settings
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        323⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        325⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        326⤵
        Modifies registry class
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        327⤵
        Drops file in Windows directory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        328⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        329⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        330⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        331⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        332⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        333⤵
        Drops file in Windows directory
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        335⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        336⤵
        Checks computer location settings
        
        PID:1388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        337⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        338⤵
        Checks computer location settings
        
        PID:3124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        339⤵
        Drops file in Windows directory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        340⤵
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        341⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        342⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        343⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        344⤵
        Checks computer location settings
        
        PID:240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        345⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        346⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        347⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        348⤵
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        349⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        350⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        351⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        352⤵
        
        PID:456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        353⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        354⤵
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        355⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        356⤵
        Modifies registry class
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        357⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        358⤵
        Drops file in Windows directory
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        359⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        360⤵
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        361⤵
        Drops file in Windows directory
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        362⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        363⤵
        Drops file in Windows directory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        364⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        365⤵
        Drops file in Windows directory
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        366⤵
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        367⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        368⤵
        
        PID:3868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        369⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        370⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        371⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        372⤵
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        373⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        374⤵
        Checks computer location settings
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        375⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        376⤵
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        377⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        378⤵
        Modifies registry class
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        379⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        380⤵
        
        PID:1128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        381⤵
        Drops file in Windows directory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        382⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        383⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        384⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        385⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        386⤵
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        387⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        388⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        389⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        390⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        391⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        392⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        393⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        394⤵
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        395⤵
        Drops file in Windows directory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        396⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        397⤵
        Drops file in Windows directory
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        398⤵
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        399⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        400⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        401⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        402⤵
        Checks computer location settings
        
        PID:4256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        403⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        404⤵
        Modifies registry class
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        405⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        406⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        407⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        408⤵
        Checks computer location settings
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        409⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        410⤵
        Drops file in Windows directory
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        411⤵
        Drops file in Windows directory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        412⤵
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        413⤵
        Drops file in Windows directory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        414⤵
        Checks computer location settings
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        415⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        416⤵
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        417⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        418⤵
        Checks computer location settings
        
        PID:3916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        419⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        420⤵
        
        PID:4108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        421⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        422⤵
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        423⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        424⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        425⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        426⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        427⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        428⤵
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        429⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        430⤵
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        431⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        432⤵
        Drops file in Windows directory
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        433⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        434⤵
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        435⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        436⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        437⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        438⤵
        Modifies registry class
        
        PID:4116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        439⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        440⤵
        Checks computer location settings
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        441⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        442⤵
        Drops file in Windows directory
        
        PID:4200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        443⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        444⤵
        Checks computer location settings
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        445⤵
        Drops file in Windows directory
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        446⤵
        Drops file in Windows directory
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        447⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        302⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        303⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        304⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        305⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        306⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        307⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        308⤵
        Checks computer location settings
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        310⤵
        Modifies registry class
        
        PID:776

C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
1⤵
PID:4644
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
    3⤵
    PID:2424
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
      4⤵
      PID:232
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE
        5⤵
        
        PID:4408
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FCFEA3~1.EXE"
        6⤵
        
        PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

Filesize
623KB

MD5
6e84b6096aaa18cabc30f1122d5af449

SHA1
e6729edd11b52055b5e34d39e5f3b8f071bbac4f

SHA256
c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759

SHA512
af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE

Filesize
178KB

MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE

Filesize
231KB

MD5
502a319fbb7b150927ab34568f50bc9a

SHA1
07fd28da8e9c5d7b96bc77904439858ddf8e4d10

SHA256
585a000313ccad7ba31747ea54670428f9214c0715c14418d4642020dec94b31

SHA512
b294f0206492bcf309ba9af04f23370c0f33591280709e08ab96074ef076bef4932b711144e48920b9c73e2f6d6bfe03e30944b5e5b34fb96826ce7a0911f15e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE

Filesize
251KB

MD5
33cb4562e84c8bbbc8184b961e2e49ee

SHA1
d6549a52911eaeebcceb5bc39d71272d3b8f5111

SHA256
1f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb

SHA512
0b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE

Filesize
404KB

MD5
ea78ed9e7eb4cc64544163627476fe4b

SHA1
67aed91a59742a36c0ff635b15c692cde3eb3a9d

SHA256
d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562

SHA512
eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
191KB

MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fcfea317a0cb315cb6a99db1facb7f099a6f5966685835791848d63295471316.exe

Filesize
291KB

MD5
856c3f9db077388ce2b86c34c63ca470

SHA1
ee24ac0cea3e2ab7548adf1c8195ef25b8840a35

SHA256
84109d70d1dcf5676c2919b661869005f76c3b5656604c3064379aa9ab0fc3e2

SHA512
5baf83eabe2697bda271511cb753597df8e3df6e13831a13a0e428c6f36e50a1fcc975a1ba97ed9ebf48f71d4128746f52c741415877ce5895dab03185a3925f

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c974e8042e8a1d5143adc2fe969faea3

SHA1
d2cc3697ce73181a8d83a6335a50889aa18b2604

SHA256
23040cd71f7fd7e7ba1f56ef3cb018c9743e66e266005b0c29146578034672e7

SHA512
9c754318c2c0f97bba1da15d189cb97bb7dfc8781b089fdaa9a716d4a69df08a1cba10879f1f0be862a974e656a886da9beafb74782b65229e8170d1092a8abb

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c8012f3187a77c0d54b3861d91522a7d

SHA1
1ff028ea89ec13a0979ad53ce62246655569e500

SHA256
8cae610ba61759d677e1c37cb5bfc90446d73b80125b346ad7450abeac762f81

SHA512
3521ed1d30692987fa00b62c3a0bf885d07538f851a56ddea7ea967e561a899d3cc9cbb11f26bb401ee22ce5baee63d89d7ff5cea71368ada8e1a3715ef9ea42

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/32-146-0x0000000000000000-mapping.dmp

Download
memory/220-236-0x0000000000000000-mapping.dmp

Download
memory/228-238-0x0000000000000000-mapping.dmp

Download
memory/732-228-0x0000000000000000-mapping.dmp

Download
memory/780-148-0x0000000000000000-mapping.dmp

Download
memory/1036-142-0x0000000000000000-mapping.dmp

Download
memory/1248-260-0x0000000000000000-mapping.dmp

Download
memory/1320-223-0x0000000000000000-mapping.dmp

Download
memory/1340-250-0x0000000000000000-mapping.dmp

Download
memory/1396-246-0x0000000000000000-mapping.dmp

Download
memory/1588-249-0x0000000000000000-mapping.dmp

Download
memory/1676-251-0x0000000000000000-mapping.dmp

Download
memory/1700-233-0x0000000000000000-mapping.dmp

Download
memory/1776-229-0x0000000000000000-mapping.dmp

Download
memory/1836-257-0x0000000000000000-mapping.dmp

Download
memory/1984-244-0x0000000000000000-mapping.dmp

Download
memory/2192-187-0x0000000000000000-mapping.dmp

Download
memory/2264-160-0x0000000000000000-mapping.dmp

Download
memory/2304-172-0x0000000000000000-mapping.dmp

Download
memory/2344-221-0x0000000000000000-mapping.dmp

Download
memory/2380-253-0x0000000000000000-mapping.dmp

Download
memory/2728-154-0x0000000000000000-mapping.dmp

Download
memory/2728-243-0x0000000000000000-mapping.dmp

Download
memory/2804-231-0x0000000000000000-mapping.dmp

Download
memory/2816-248-0x0000000000000000-mapping.dmp

Download
memory/2820-157-0x0000000000000000-mapping.dmp

Download
memory/2940-259-0x0000000000000000-mapping.dmp

Download
memory/2992-256-0x0000000000000000-mapping.dmp

Download
memory/3016-220-0x0000000000000000-mapping.dmp

Download
memory/3052-225-0x0000000000000000-mapping.dmp

Download
memory/3084-239-0x0000000000000000-mapping.dmp

Download
memory/3132-191-0x0000000000000000-mapping.dmp

Download
memory/3188-232-0x0000000000000000-mapping.dmp

Download
memory/3232-247-0x0000000000000000-mapping.dmp

Download
memory/3324-175-0x0000000000000000-mapping.dmp

Download
memory/3436-224-0x0000000000000000-mapping.dmp

Download
memory/3472-185-0x0000000000000000-mapping.dmp

Download
memory/3580-227-0x0000000000000000-mapping.dmp

Download
memory/3588-235-0x0000000000000000-mapping.dmp

Download
memory/3596-140-0x0000000000000000-mapping.dmp

Download
memory/3620-226-0x0000000000000000-mapping.dmp

Download
memory/3668-222-0x0000000000000000-mapping.dmp

Download
memory/3728-252-0x0000000000000000-mapping.dmp

Download
memory/3852-242-0x0000000000000000-mapping.dmp

Download
memory/3996-152-0x0000000000000000-mapping.dmp

Download
memory/4116-258-0x0000000000000000-mapping.dmp

Download
memory/4200-255-0x0000000000000000-mapping.dmp

Download
memory/4256-206-0x0000000000000000-mapping.dmp

Download
memory/4300-167-0x0000000000000000-mapping.dmp

Download
memory/4436-240-0x0000000000000000-mapping.dmp

Download
memory/4576-133-0x0000000000000000-mapping.dmp

Download
memory/4580-212-0x0000000000000000-mapping.dmp

Download
memory/4584-194-0x0000000000000000-mapping.dmp

Download
memory/4684-136-0x0000000000000000-mapping.dmp

Download
memory/4684-234-0x0000000000000000-mapping.dmp

Download
memory/4752-241-0x0000000000000000-mapping.dmp

Download
memory/4776-164-0x0000000000000000-mapping.dmp

Download
memory/4812-245-0x0000000000000000-mapping.dmp

Download
memory/4864-237-0x0000000000000000-mapping.dmp

Download
memory/4876-230-0x0000000000000000-mapping.dmp

Download
memory/4892-199-0x0000000000000000-mapping.dmp

Download
memory/4904-254-0x0000000000000000-mapping.dmp

Download
memory/4948-181-0x0000000000000000-mapping.dmp

Download
memory/5108-179-0x0000000000000000-mapping.dmp

Download