Malware Analysis Report

2024-09-11 00:53

Sample ID 240615-kmrefaxgmj
Target ad975143b690ef3734b81ebeea5708fc_JaffaCakes118
SHA256 b8dafa1125206c754bb909af146ed820b8c36bb636cacd63db456e07e59d10a6
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8dafa1125206c754bb909af146ed820b8c36bb636cacd63db456e07e59d10a6

Threat Level: Known bad

The file ad975143b690ef3734b81ebeea5708fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta family

Detect Neshta payload

Neshta

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 08:43

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 08:43

Reported

2024-06-15 08:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{C0257~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 4580 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 4580 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 3576 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 3576 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 3576 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 3684 wrote to memory of 2844 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3684 wrote to memory of 2844 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3684 wrote to memory of 2844 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2844 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2844 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2844 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 216 wrote to memory of 4200 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 216 wrote to memory of 4200 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 216 wrote to memory of 4200 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 4200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1768 wrote to memory of 4928 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1768 wrote to memory of 4928 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1768 wrote to memory of 4928 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 4928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2384 wrote to memory of 1696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2384 wrote to memory of 1696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2384 wrote to memory of 1696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1696 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1696 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1696 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2456 wrote to memory of 2140 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2456 wrote to memory of 2140 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2456 wrote to memory of 2140 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2140 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2140 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2140 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1548 wrote to memory of 3216 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1548 wrote to memory of 3216 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1548 wrote to memory of 3216 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3216 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 3216 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 3216 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 3516 wrote to memory of 4620 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3516 wrote to memory of 4620 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3516 wrote to memory of 4620 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 4620 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4620 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4620 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1928 wrote to memory of 3220 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1928 wrote to memory of 3220 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1928 wrote to memory of 3220 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 3220 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 3220 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 3220 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 4720 wrote to memory of 2732 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 4720 wrote to memory of 2732 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 4720 wrote to memory of 2732 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1628 wrote to memory of 2648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1628 wrote to memory of 2648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1628 wrote to memory of 2648 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2648 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com

Processes

C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv zYFksGxPhkGlFgt0fzLR4A.0.2

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

Network

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

MD5 d1076ee3d2a15e3d3774dfdb57f61c7f
SHA1 2b3ffa3c71d325dea115ca9d0ea488df550f6acd
SHA256 46ecb3cfadeca18601af6f53dba9e719ce4d5c8c20dfa05d07721710b032db60
SHA512 5a015e43b9fb648c545607d71476bace85bc23525bc4a6157e6cef40184d7d5e0d9588e22851bb0b73ecde1a76825b543564c59f9fb2316bff64c37d5b97a2bc

C:\Windows\svchost.com

MD5 02fcf1be1a818fcd51bd13d69177da29
SHA1 6f91c3be01cd612d82d1b580a119123f964c785b
SHA256 30c67816058fdc1e8f6dc6a857167e62cf505626c9e5b3c4fea6667f1d2c44a2
SHA512 e5fac84894b90714d02bb6c6193e3f0ca57f46259d2bdb12e94f179b1f04be77a2ac39933bbaa7467a6ea1b6199c65e49d05ac05db867437f70cde2fe687fd32

memory/3684-16-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2844-26-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 f2c80fcff7ca35dcfcc5a5e33cbc8de8
SHA1 099bf2e145e7025c53ca9a786bbca8fd798c9462
SHA256 c23ec38697ecf4203bde5139b7854b8ab755fe69138e7bbff434e4d05388a5e1
SHA512 299774ed25273129fbe30bc65073ab3697a14b7809a6de572d254505156f979381360482e41867724848ce635a707d2eaab292f9640470a7b7345ee97215482a

memory/216-28-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4200-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1768-40-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4928-44-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-52-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1696-56-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2456-64-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2140-68-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1548-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3216-86-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

memory/3516-106-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4620-121-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1928-122-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3220-133-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4720-134-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2732-138-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1628-146-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-150-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 3da289a7de7c8b16fccd7301a403f718
SHA1 2f0dfae48c1d15160ac2afff7bd1113e506cc396
SHA256 c1d0220ddb5da86d2a8613ccdb1c50f894d0194211c6a2750ee0001b27177b85
SHA512 31e5d7e8ad016861490d78ab4a847ca48b0de8301c9e62f22362414f23db74a52dd8d543b396f2f44331f4a7b74e7e5427846e027a6b31e591b283062ac6853e

memory/4000-169-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 0511abca39ed6d36fff86a8b6f2266cd
SHA1 bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA256 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA512 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 de69c005b0bbb513e946389227183eeb
SHA1 2a64efdcdc71654356f77a5b77da8b840dcc6674
SHA256 ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7
SHA512 6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 41b1e87b538616c6020369134cbce857
SHA1 a255c7fef7ba2fc1a7c45d992270d5af023c5f67
SHA256 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3
SHA512 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{C0257~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe

MD5 6a6c659d91d0b73daa7f02b864f531b6
SHA1 97fe7bdf65df3ac32c6392870221e45d623e3696
SHA256 46909dcf1833280c3aedd20a251ad901d49babefd00786f79dd74dc160eb98b8
SHA512 b24e2af2a76905114fab894ed301d904e99d9486b808eeb17f91aa6342b70f93ddeec26b3ee007f375a262326275fb0e38e81092234ff8e2994e9a3eaa81b6ba

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

memory/4636-247-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4412-259-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3004-261-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3520-272-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4784-274-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2940-280-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3452-282-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1768-288-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2700-295-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4440-296-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2696-303-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1060-304-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3376-311-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1716-312-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4288-319-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5100-320-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3108-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3696-328-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3772-330-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4556-336-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4804-338-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1572-344-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3068-346-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2832-352-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4624-354-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1784-360-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4192-362-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3076-368-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3928-375-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4492-376-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4760-383-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2592-384-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5008-391-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2552-392-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3532-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-400-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3048-402-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4352-408-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4576-410-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3176-416-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4740-418-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-424-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-431-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 08:43

Reported

2024-06-15 08:45

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe C:\Windows\svchost.com
PID 1980 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1980 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1980 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1980 wrote to memory of 2712 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2712 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2712 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2712 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2712 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2068 wrote to memory of 1420 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2068 wrote to memory of 1420 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2068 wrote to memory of 1420 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2068 wrote to memory of 1420 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2852 wrote to memory of 2776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2852 wrote to memory of 2776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2852 wrote to memory of 2776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2852 wrote to memory of 2776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2776 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2776 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2776 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2776 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2508 wrote to memory of 2980 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2508 wrote to memory of 2980 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2508 wrote to memory of 2980 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2508 wrote to memory of 2980 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1600 wrote to memory of 2592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1600 wrote to memory of 2592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1600 wrote to memory of 2592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1600 wrote to memory of 2592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2592 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2592 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2592 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2592 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 2312 wrote to memory of 2724 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2312 wrote to memory of 2724 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2312 wrote to memory of 2724 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2312 wrote to memory of 2724 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2724 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2724 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2724 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2724 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2968 wrote to memory of 1948 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2968 wrote to memory of 1948 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2968 wrote to memory of 1948 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 2968 wrote to memory of 1948 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE
PID 1948 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1948 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1948 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com
PID 1948 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE C:\Windows\svchost.com

Processes

C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\ad975143b690ef3734b81ebeea5708fc_JaffaCakes118.exe

MD5 d1076ee3d2a15e3d3774dfdb57f61c7f
SHA1 2b3ffa3c71d325dea115ca9d0ea488df550f6acd
SHA256 46ecb3cfadeca18601af6f53dba9e719ce4d5c8c20dfa05d07721710b032db60
SHA512 5a015e43b9fb648c545607d71476bace85bc23525bc4a6157e6cef40184d7d5e0d9588e22851bb0b73ecde1a76825b543564c59f9fb2316bff64c37d5b97a2bc

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\Windows\svchost.com

MD5 02fcf1be1a818fcd51bd13d69177da29
SHA1 6f91c3be01cd612d82d1b580a119123f964c785b
SHA256 30c67816058fdc1e8f6dc6a857167e62cf505626c9e5b3c4fea6667f1d2c44a2
SHA512 e5fac84894b90714d02bb6c6193e3f0ca57f46259d2bdb12e94f179b1f04be77a2ac39933bbaa7467a6ea1b6199c65e49d05ac05db867437f70cde2fe687fd32

C:\Windows\directx.sys

MD5 f2c80fcff7ca35dcfcc5a5e33cbc8de8
SHA1 099bf2e145e7025c53ca9a786bbca8fd798c9462
SHA256 c23ec38697ecf4203bde5139b7854b8ab755fe69138e7bbff434e4d05388a5e1
SHA512 299774ed25273129fbe30bc65073ab3697a14b7809a6de572d254505156f979381360482e41867724848ce635a707d2eaab292f9640470a7b7345ee97215482a

memory/1980-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2712-31-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2068-44-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1420-43-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2776-57-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-58-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2508-72-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2980-71-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1600-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2592-87-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-100-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-99-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2968-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1948-113-0x0000000000400000-0x000000000041B000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2556-139-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 831270ac3db358cdbef5535b0b3a44e6
SHA1 c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256 a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512 f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

MD5 e1833678885f02b5e3cf1b3953456557
SHA1 c197e763500002bc76a8d503933f1f6082a8507a
SHA256 bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512 fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

MD5 eef2f834c8d65585af63916d23b07c36
SHA1 8cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA256 3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA512 2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

MD5 8c4f4eb73490ca2445d8577cf4bb3c81
SHA1 0f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA256 85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA512 65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

memory/2864-133-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1568-152-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2124-153-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1504-163-0x0000000000400000-0x000000000041B000-memory.dmp

memory/704-162-0x0000000000400000-0x000000000041B000-memory.dmp

memory/576-182-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2100-181-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2380-199-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1760-200-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1604-207-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1528-208-0x0000000000400000-0x000000000041B000-memory.dmp

memory/940-224-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1896-223-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1740-236-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3036-237-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1644-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2308-255-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2028-270-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2800-269-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2636-287-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1980-286-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2772-294-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2620-295-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2532-303-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1048-302-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2632-318-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-317-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2976-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2392-326-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2020-335-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1600-334-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2592-342-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1412-343-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2584-351-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2016-350-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2968-358-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1996-359-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-366-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2840-367-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1616-375-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1924-374-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2248-382-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1752-383-0x0000000000400000-0x000000000041B000-memory.dmp

memory/664-390-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1280-391-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1468-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1092-398-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1968-407-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1096-406-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\AD9751~1.EXE

MD5 fae3be4651c3f00730b7237da1de75c6
SHA1 4742b6a5348b0dd5e771767287ee887fead44a89
SHA256 17974752a370df2028ad9de3861ddb5cb8974f76705eafb46f5ef22b32388bbf
SHA512 e61f48212dafed764c3218ab52747b6c13f51161470e5fe3d1a6bdb50b9358deeb21c6e4160bfd80f07ce65f9250a43f3c3dbdc8203d7b175e9fe5b009c9f0c0