810e4be15b627bf4ea5d1dfe9b929e0b2105f006271b054e904503eb8aac034c

Analysis

max time kernel
79s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe
Size

48KB
MD5

f8482193d202909f37741fcaa63b326f
SHA1

423ea00b7f5e2e775faed7f1654c616cdf783b42
SHA256

810e4be15b627bf4ea5d1dfe9b929e0b2105f006271b054e904503eb8aac034c
SHA512

d14130b7eb8c37e36daf2e1631f77393ca6002cf742bed5a6d3ddd81a7908ad3d9fedf71591e571330e3e16d8afd55e08c332df9e2c9c8b429b4e204f05f3dcb
SSDEEP

768:acCoFPA9SotRcR8sOSZ7S8NLt1ozy1wqbhkKb562g/k+xsZ+DbFkciVsKkAP2:VCoocR8sOkXh1YyFHY2gk+CwFkcekE2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchsot.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	svchsot.exe
2896	svchsot.exe
220	svchsot.exe
3256	svchsot.exe
2104	svchsot.exe
1388	svchsot.exe
748	svchsot.exe
1636	svchsot.exe
1756	svchsot.exe
1128	svchsot.exe
4900	svchsot.exe
3768	svchsot.exe
2944	svchsot.exe
3052	svchsot.exe
3744	svchsot.exe
5104	svchsot.exe
3148	svchsot.exe
1772	svchsot.exe
2240	svchsot.exe
2172	svchsot.exe
3216	svchsot.exe
4184	svchsot.exe
2184	svchsot.exe
1768	svchsot.exe
3468	svchsot.exe
1704	svchsot.exe
1796	svchsot.exe
4720	svchsot.exe
3476	svchsot.exe
4632	svchsot.exe
544	svchsot.exe
3744	svchsot.exe
5104	svchsot.exe
5100	svchsot.exe
3972	svchsot.exe
3400	svchsot.exe
4484	svchsot.exe
3512	svchsot.exe
740	svchsot.exe
3328	svchsot.exe
3236	svchsot.exe
4524	svchsot.exe
5024	svchsot.exe
4460	svchsot.exe
3984	svchsot.exe
2688	svchsot.exe
3728	svchsot.exe
4548	svchsot.exe
844	svchsot.exe
4120	svchsot.exe
1848	svchsot.exe
2756	svchsot.exe
4748	svchsot.exe
1716	svchsot.exe
3284	svchsot.exe
756	svchsot.exe
3328	svchsot.exe
3236	svchsot.exe
3392	svchsot.exe
3952	svchsot.exe
5092	svchsot.exe
4320	svchsot.exe
4056	svchsot.exe
4912	svchsot.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File opened for modification	C:\Windows\SysWOW64\locarxjh.sls	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe
File created	C:\Windows\SysWOW64\svchsot.exe	svchsot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2724	4176	f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe	91
PID 4176 wrote to memory of 2724	4176	f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe	91
PID 4176 wrote to memory of 2724	4176	f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe	91
PID 2724 wrote to memory of 2896	2724	svchsot.exe	92
PID 2724 wrote to memory of 2896	2724	svchsot.exe	92
PID 2724 wrote to memory of 2896	2724	svchsot.exe	92
PID 2896 wrote to memory of 220	2896	svchsot.exe	93
PID 2896 wrote to memory of 220	2896	svchsot.exe	93
PID 2896 wrote to memory of 220	2896	svchsot.exe	93
PID 220 wrote to memory of 3256	220	svchsot.exe	94
PID 220 wrote to memory of 3256	220	svchsot.exe	94
PID 220 wrote to memory of 3256	220	svchsot.exe	94
PID 3256 wrote to memory of 2104	3256	svchsot.exe	95
PID 3256 wrote to memory of 2104	3256	svchsot.exe	95
PID 3256 wrote to memory of 2104	3256	svchsot.exe	95
PID 2104 wrote to memory of 1388	2104	svchsot.exe	96
PID 2104 wrote to memory of 1388	2104	svchsot.exe	96
PID 2104 wrote to memory of 1388	2104	svchsot.exe	96
PID 1388 wrote to memory of 748	1388	svchsot.exe	97
PID 1388 wrote to memory of 748	1388	svchsot.exe	97
PID 1388 wrote to memory of 748	1388	svchsot.exe	97
PID 748 wrote to memory of 1636	748	svchsot.exe	98
PID 748 wrote to memory of 1636	748	svchsot.exe	98
PID 748 wrote to memory of 1636	748	svchsot.exe	98
PID 1636 wrote to memory of 1756	1636	svchsot.exe	99
PID 1636 wrote to memory of 1756	1636	svchsot.exe	99
PID 1636 wrote to memory of 1756	1636	svchsot.exe	99
PID 1756 wrote to memory of 1128	1756	svchsot.exe	100
PID 1756 wrote to memory of 1128	1756	svchsot.exe	100
PID 1756 wrote to memory of 1128	1756	svchsot.exe	100
PID 1128 wrote to memory of 4900	1128	svchsot.exe	101
PID 1128 wrote to memory of 4900	1128	svchsot.exe	101
PID 1128 wrote to memory of 4900	1128	svchsot.exe	101
PID 4900 wrote to memory of 3768	4900	svchsot.exe	102
PID 4900 wrote to memory of 3768	4900	svchsot.exe	102
PID 4900 wrote to memory of 3768	4900	svchsot.exe	102
PID 3768 wrote to memory of 2944	3768	svchsot.exe	103
PID 3768 wrote to memory of 2944	3768	svchsot.exe	103
PID 3768 wrote to memory of 2944	3768	svchsot.exe	103
PID 2944 wrote to memory of 3052	2944	svchsot.exe	104
PID 2944 wrote to memory of 3052	2944	svchsot.exe	104
PID 2944 wrote to memory of 3052	2944	svchsot.exe	104
PID 3052 wrote to memory of 3744	3052	svchsot.exe	127
PID 3052 wrote to memory of 3744	3052	svchsot.exe	127
PID 3052 wrote to memory of 3744	3052	svchsot.exe	127
PID 3744 wrote to memory of 5104	3744	svchsot.exe	128
PID 3744 wrote to memory of 5104	3744	svchsot.exe	128
PID 3744 wrote to memory of 5104	3744	svchsot.exe	128
PID 5104 wrote to memory of 3148	5104	svchsot.exe	108
PID 5104 wrote to memory of 3148	5104	svchsot.exe	108
PID 5104 wrote to memory of 3148	5104	svchsot.exe	108
PID 3148 wrote to memory of 1772	3148	svchsot.exe	110
PID 3148 wrote to memory of 1772	3148	svchsot.exe	110
PID 3148 wrote to memory of 1772	3148	svchsot.exe	110
PID 1772 wrote to memory of 2240	1772	svchsot.exe	111
PID 1772 wrote to memory of 2240	1772	svchsot.exe	111
PID 1772 wrote to memory of 2240	1772	svchsot.exe	111
PID 2240 wrote to memory of 2172	2240	svchsot.exe	112
PID 2240 wrote to memory of 2172	2240	svchsot.exe	112
PID 2240 wrote to memory of 2172	2240	svchsot.exe	112
PID 2172 wrote to memory of 3216	2172	svchsot.exe	114
PID 2172 wrote to memory of 3216	2172	svchsot.exe	114
PID 2172 wrote to memory of 3216	2172	svchsot.exe	114
PID 3216 wrote to memory of 4184	3216	svchsot.exe	115

C:\Users\Admin\AppData\Local\Temp\f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8482193d202909f37741fcaa63b326f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176
- C:\windows\SysWOW64\svchsot.exe
  "C:\windows\system32\svchsot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\windows\SysWOW64\svchsot.exe
    "C:\windows\system32\svchsot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\windows\SysWOW64\svchsot.exe
      "C:\windows\system32\svchsot.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        23⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        24⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        26⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1704
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1796
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        30⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        31⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5100
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        36⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3400
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        38⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        40⤵
        Executes dropped EXE
        
        PID:740
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3328
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3236
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4524
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        46⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        48⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        49⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        50⤵
        Executes dropped EXE
        
        PID:844
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        51⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1848
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:756
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3392
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3952
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5092
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        65⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        66⤵
        Checks computer location settings
        
        PID:4016
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2388
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        69⤵
        
        PID:1848
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        70⤵
        
        PID:2756
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        71⤵
        Checks computer location settings
        
        PID:4508
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        72⤵
        
        PID:2424
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        73⤵
        
        PID:3356
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1808
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        75⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        76⤵
        Checks computer location settings
        
        PID:2304
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        77⤵
        Checks computer location settings
        
        PID:4764
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4460
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        79⤵
        
        PID:2888
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        80⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        81⤵
        
        PID:5008
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        82⤵
        
        PID:4808
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        83⤵
        
        PID:3336
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        84⤵
        
        PID:720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        85⤵
        
        PID:8
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4204
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        88⤵
        
        PID:4336
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        89⤵
        Checks computer location settings
        
        PID:740
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        90⤵
        Checks computer location settings
        
        PID:608
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        91⤵
        Checks computer location settings
        
        PID:1156
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        93⤵
        
        PID:3236
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        94⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        95⤵
        Checks computer location settings
        
        PID:4400
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        96⤵
        
        PID:3560
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        97⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        99⤵
        
        PID:536
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        100⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        101⤵
        Checks computer location settings
        
        PID:4120
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        102⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:8
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        104⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        105⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        106⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        107⤵
        
        PID:1104
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        108⤵
        
        PID:3348
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        109⤵
        Checks computer location settings
        
        PID:1136
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5088
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        111⤵
        Checks computer location settings
        
        PID:336
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        112⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        113⤵
        
        PID:3912
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        114⤵
        
        PID:5060
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        115⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        116⤵
        
        PID:3280
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        117⤵
        Checks computer location settings
        
        PID:536
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        118⤵
        
        PID:2252
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        119⤵
        
        PID:2868
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        120⤵
        
        PID:4008
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        121⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        122⤵
        
        PID:4508
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        123⤵
        Checks computer location settings
        
        PID:1448
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        124⤵
        
        PID:4944
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        125⤵
        
        PID:708
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        126⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        127⤵
        
        PID:4720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        128⤵
        
        PID:2080
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        129⤵
        Checks computer location settings
        
        PID:4684
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        130⤵
        Checks computer location settings
        
        PID:336
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        131⤵
        
        PID:2008
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        132⤵
        
        PID:3900
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        133⤵
        
        PID:3456
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        134⤵
        
        PID:2204
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1616
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        136⤵
        
        PID:1460
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        137⤵
        
        PID:392
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        138⤵
        Checks computer location settings
        
        PID:844
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        139⤵
        
        PID:404
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        140⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2064
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        141⤵
        Checks computer location settings
        
        PID:3468
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        142⤵
        
        PID:3452
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        143⤵
        
        PID:3424
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        144⤵
        Checks computer location settings
        
        PID:3356
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        145⤵
        Checks computer location settings
        
        PID:3348
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        146⤵
        
        PID:4736
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        147⤵
        
        PID:4832
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        148⤵
        
        PID:3768
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        149⤵
        
        PID:4464
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        150⤵
        Checks computer location settings
        
        PID:4432
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        151⤵
        Checks computer location settings
        
        PID:436
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        152⤵
        Checks computer location settings
        
        PID:4020
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        153⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        154⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        155⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3804
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        156⤵
        Checks computer location settings
        
        PID:720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        157⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        158⤵
        Checks computer location settings
        
        PID:404
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        159⤵
        Checks computer location settings
        
        PID:2064
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        160⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3468
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        161⤵
        
        PID:3452
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        162⤵
        
        PID:3424
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        163⤵
        Checks computer location settings
        
        PID:3356
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        164⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        165⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        166⤵
        
        PID:3984
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        167⤵
        
        PID:3472
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        168⤵
        
        PID:3668
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        169⤵
        
        PID:4056
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        170⤵
        
        PID:4432
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        171⤵
        
        PID:4428
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        172⤵
        
        PID:1960
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        173⤵
        
        PID:536
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        174⤵
        
        PID:2668
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        175⤵
        
        PID:664
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        176⤵
        
        PID:4008
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        177⤵
        
        PID:3980
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        178⤵
        
        PID:640
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        179⤵
        
        PID:740
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        180⤵
        
        PID:608
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        181⤵
        
        PID:2720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        182⤵
        
        PID:1768
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        183⤵
        
        PID:1380
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        184⤵
        
        PID:3760
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        185⤵
        
        PID:5000
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        186⤵
        
        PID:3392
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        187⤵
        
        PID:4320
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        188⤵
        
        PID:4848
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        189⤵
        
        PID:3912
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        190⤵
        
        PID:4468
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        191⤵
        
        PID:3512
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        192⤵
        
        PID:3280
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        193⤵
        
        PID:820
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        194⤵
        
        PID:2548
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        195⤵
        
        PID:528
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        196⤵
        
        PID:2356
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        197⤵
        
        PID:2484
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        198⤵
        
        PID:3792
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        199⤵
        
        PID:1824
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        200⤵
        
        PID:1164
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        201⤵
        
        PID:680
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        202⤵
        
        PID:4536
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        203⤵
        
        PID:3232
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        204⤵
        
        PID:4816
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        205⤵
        
        PID:3424
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        206⤵
        
        PID:4716
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        207⤵
        
        PID:1620
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        208⤵
        
        PID:4400
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        209⤵
        
        PID:1692
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        210⤵
        
        PID:3460
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        211⤵
        
        PID:1392
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        212⤵
        
        PID:544
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        213⤵
        
        PID:2204
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        214⤵
        
        PID:1964
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        215⤵
        
        PID:1616
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        216⤵
        
        PID:3824
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        217⤵
        
        PID:3216
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        218⤵
        
        PID:1848
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        219⤵
        
        PID:4748
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        220⤵
        
        PID:3060
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        221⤵
        
        PID:2140
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        222⤵
        
        PID:1528
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        223⤵
        
        PID:756
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        224⤵
        
        PID:1968
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        225⤵
        
        PID:4804
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        226⤵
        
        PID:3728
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        227⤵
        
        PID:4716
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        228⤵
        
        PID:1852
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        229⤵
        
        PID:4056
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        230⤵
        
        PID:432
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        231⤵
        
        PID:4336
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        232⤵
        
        PID:400
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        233⤵
        
        PID:3268
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        234⤵
        
        PID:1504
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        235⤵
        
        PID:3204
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        236⤵
        
        PID:3572
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        237⤵
        
        PID:2356
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        238⤵
        
        PID:720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        239⤵
        
        PID:4184
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        240⤵
        
        PID:2120
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        241⤵
        
        PID:3112
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        242⤵
        
        PID:3060
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        243⤵
        
        PID:1092
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        244⤵
        
        PID:5032
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        245⤵
        
        PID:696
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        246⤵
        
        PID:4536
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        247⤵
        
        PID:1968
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        248⤵
        
        PID:2284
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        249⤵
        
        PID:3548
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        250⤵
        
        PID:3084
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        251⤵
        
        PID:5100
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        252⤵
        
        PID:4016
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        253⤵
        
        PID:4412
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        254⤵
        
        PID:1196
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        255⤵
        
        PID:2788
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        256⤵
        
        PID:1132
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        257⤵
        
        PID:1220
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        258⤵
        
        PID:1660
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        259⤵
        
        PID:1248
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        260⤵
        
        PID:620
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        261⤵
        
        PID:1456
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        262⤵
        
        PID:2384
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        263⤵
        
        PID:2112
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        264⤵
        
        PID:2904
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        265⤵
        
        PID:4748
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        266⤵
        
        PID:4156
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        267⤵
        
        PID:3676
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        268⤵
        
        PID:896
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        269⤵
        
        PID:1516
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        270⤵
        
        PID:456
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        271⤵
        
        PID:3020
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        272⤵
        
        PID:2488
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        273⤵
        
        PID:3548
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        274⤵
        
        PID:2008
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        275⤵
        
        PID:4212
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        276⤵
        
        PID:1612
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        277⤵
        
        PID:1484
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        278⤵
        
        PID:4488
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        279⤵
        
        PID:4176
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        280⤵
        
        PID:1616
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        281⤵
        
        PID:3704
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        282⤵
        
        PID:528
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        283⤵
        
        PID:392
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        284⤵
        
        PID:2484
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        285⤵
        
        PID:800
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        286⤵
        
        PID:3496
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        287⤵
        
        PID:4692
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        288⤵
        
        PID:3468
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        289⤵
        
        PID:3080
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        290⤵
        
        PID:1796
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        291⤵
        
        PID:5108
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        292⤵
        
        PID:4436
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        293⤵
        
        PID:4720
        
        C:\windows\SysWOW64\svchsot.exe
        
        "C:\windows\system32\svchsot.exe"
        294⤵
        
        PID:4228

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv CGD3gLuGlUOGCdzmJ0jChg.0.2
1⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\locarxjh.sls

Filesize
64KB

MD5
43adb3be87e9f8701edd88bc1bf879ac

SHA1
60e052d9c09520aa706c17e2124aeb7ee974cdca

SHA256
5ef291e6e7731f209cc3ea7f9327071c5fdabcef5708309b18004c6ca396c84a

SHA512
6271f0478eca2121f2076f53469f11aaa9c18e0b1d49a2be27c4d216fff462ed2edbcfcafc6aa65989bba52896dfe8fa1a17b4573153e28771b2052a2d41b04a

Download Submit
C:\Windows\SysWOW64\svchsot.exe

Filesize
48KB

MD5
f8482193d202909f37741fcaa63b326f

SHA1
423ea00b7f5e2e775faed7f1654c616cdf783b42

SHA256
810e4be15b627bf4ea5d1dfe9b929e0b2105f006271b054e904503eb8aac034c

SHA512
d14130b7eb8c37e36daf2e1631f77393ca6002cf742bed5a6d3ddd81a7908ad3d9fedf71591e571330e3e16d8afd55e08c332df9e2c9c8b429b4e204f05f3dcb

Download Submit
memory/220-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/220-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/220-25-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/544-202-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/748-51-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/748-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1128-70-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1128-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1128-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1388-44-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1388-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1388-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1636-57-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1636-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1704-176-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1704-173-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1704-170-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1756-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1756-63-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1756-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-162-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-157-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-158-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/1772-123-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1772-128-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-177-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-180-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2104-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-37-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/2104-38-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2172-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2172-134-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/2184-156-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2184-150-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2184-151-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2240-133-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2240-127-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2724-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2724-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2896-21-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/2896-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2896-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2944-91-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/2944-94-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2944-97-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3052-98-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/3052-102-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3148-116-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3148-121-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3216-144-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3216-140-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/3256-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3256-31-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/3256-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3468-168-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3468-164-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/3728-268-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3744-104-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/3744-108-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3768-89-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3768-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3768-84-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/4176-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4176-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4176-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4184-152-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4184-146-0x0000000000560000-0x00000000005A0000-memory.dmp

Filesize
256KB

Download
memory/4184-145-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4900-82-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4900-77-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/4900-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4900-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5104-110-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/5104-111-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5104-115-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5104-211-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download