e776bac009401a8690377b7b49ba6ff61aea4eea48e1d3f208284556292fefc3

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
Size

73KB
MD5

074c415b7ff6216759269472e63ef44d
SHA1

238dfa827dcaa7ac3f48d30909abd20ecfedbb8e
SHA256

e776bac009401a8690377b7b49ba6ff61aea4eea48e1d3f208284556292fefc3
SHA512

8b93a53a7620a069ac046484f6c3ace792a8e83b6425d90de4b582f03d2dae3d2e531754708d4d7b9e2b5189b070f734cba9f43f084d11fd6615d5c9cb4ff81b
SSDEEP

1536:81z9+RskvxHkV3dDivpPpfl/WZD8bWdjyv4NXuuSY5T3:y9+Rsk54tclll/RbWtyv49V3

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wcsydrv.exe

Executes dropped EXE 64 IoCs

pid	Process
5108	wcsydrv.exe
2436	wcsydrv.exe
3344	wcsydrv.exe
4932	wcsydrv.exe
4168	wcsydrv.exe
1976	wcsydrv.exe
3464	wcsydrv.exe
4892	wcsydrv.exe
2440	wcsydrv.exe
860	wcsydrv.exe
264	wcsydrv.exe
3208	wcsydrv.exe
1652	wcsydrv.exe
808	wcsydrv.exe
3696	wcsydrv.exe
3164	wcsydrv.exe
1940	wcsydrv.exe
1096	wcsydrv.exe
3560	wcsydrv.exe
4552	wcsydrv.exe
3368	wcsydrv.exe
1140	wcsydrv.exe
4668	wcsydrv.exe
512	wcsydrv.exe
1448	wcsydrv.exe
4568	wcsydrv.exe
2824	wcsydrv.exe
3700	wcsydrv.exe
412	wcsydrv.exe
2412	wcsydrv.exe
4208	wcsydrv.exe
1528	wcsydrv.exe
2456	wcsydrv.exe
2500	wcsydrv.exe
1596	wcsydrv.exe
4220	wcsydrv.exe
2560	wcsydrv.exe
3548	wcsydrv.exe
968	wcsydrv.exe
548	wcsydrv.exe
2324	wcsydrv.exe
4460	wcsydrv.exe
2776	wcsydrv.exe
2192	wcsydrv.exe
2128	wcsydrv.exe
4284	wcsydrv.exe
3076	wcsydrv.exe
1988	wcsydrv.exe
4264	wcsydrv.exe
1960	wcsydrv.exe
4176	wcsydrv.exe
2400	wcsydrv.exe
428	wcsydrv.exe
3344	wcsydrv.exe
2172	wcsydrv.exe
3200	wcsydrv.exe
1456	wcsydrv.exe
2788	wcsydrv.exe
3532	wcsydrv.exe
2440	wcsydrv.exe
1800	wcsydrv.exe
5064	wcsydrv.exe
1656	wcsydrv.exe
1652	wcsydrv.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe"	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 5108 set thread context of 2436	5108	wcsydrv.exe	85
PID 3344 set thread context of 4932	3344	wcsydrv.exe	87
PID 4168 set thread context of 1976	4168	wcsydrv.exe	89
PID 3464 set thread context of 4892	3464	wcsydrv.exe	91
PID 2440 set thread context of 860	2440	wcsydrv.exe	93
PID 264 set thread context of 3208	264	wcsydrv.exe	95
PID 1652 set thread context of 808	1652	wcsydrv.exe	97
PID 3696 set thread context of 3164	3696	wcsydrv.exe	99
PID 1940 set thread context of 1096	1940	wcsydrv.exe	101
PID 3560 set thread context of 4552	3560	wcsydrv.exe	103
PID 3368 set thread context of 1140	3368	wcsydrv.exe	105
PID 4668 set thread context of 512	4668	wcsydrv.exe	107
PID 1448 set thread context of 4568	1448	wcsydrv.exe	109
PID 2824 set thread context of 3700	2824	wcsydrv.exe	111
PID 412 set thread context of 2412	412	wcsydrv.exe	113
PID 4208 set thread context of 1528	4208	wcsydrv.exe	115
PID 2456 set thread context of 2500	2456	wcsydrv.exe	117
PID 1596 set thread context of 4220	1596	wcsydrv.exe	119
PID 2560 set thread context of 3548	2560	wcsydrv.exe	121
PID 968 set thread context of 548	968	wcsydrv.exe	123
PID 2324 set thread context of 4460	2324	wcsydrv.exe	125
PID 2776 set thread context of 2192	2776	wcsydrv.exe	127
PID 2128 set thread context of 4284	2128	wcsydrv.exe	129
PID 3076 set thread context of 1988	3076	wcsydrv.exe	131
PID 4264 set thread context of 1960	4264	wcsydrv.exe	133
PID 4176 set thread context of 2400	4176	wcsydrv.exe	135
PID 428 set thread context of 3344	428	wcsydrv.exe	137
PID 2172 set thread context of 3200	2172	wcsydrv.exe	139
PID 1456 set thread context of 2788	1456	wcsydrv.exe	141
PID 3532 set thread context of 2440	3532	wcsydrv.exe	143
PID 1800 set thread context of 5064	1800	wcsydrv.exe	145
PID 1656 set thread context of 1652	1656	wcsydrv.exe	147
PID 3864 set thread context of 3696	3864	wcsydrv.exe	149
PID 4936 set thread context of 1940	4936	wcsydrv.exe	152
PID 4756 set thread context of 3956	4756	wcsydrv.exe	155
PID 4380 set thread context of 4100	4380	wcsydrv.exe	157
PID 1792 set thread context of 392	1792	wcsydrv.exe	160
PID 2912 set thread context of 1400	2912	wcsydrv.exe	163
PID 1320 set thread context of 2404	1320	wcsydrv.exe	165
PID 3144 set thread context of 1548	3144	wcsydrv.exe	167
PID 4868 set thread context of 3708	4868	wcsydrv.exe	169
PID 2584 set thread context of 1496	2584	wcsydrv.exe	171
PID 884 set thread context of 968	884	wcsydrv.exe	173
PID 2736 set thread context of 3248	2736	wcsydrv.exe	175
PID 456 set thread context of 4972	456	wcsydrv.exe	177
PID 4804 set thread context of 4812	4804	wcsydrv.exe	180
PID 4980 set thread context of 3724	4980	wcsydrv.exe	182
PID 1988 set thread context of 4556	1988	wcsydrv.exe	184
PID 1960 set thread context of 2488	1960	wcsydrv.exe	186
PID 1392 set thread context of 2400	1392	wcsydrv.exe	188
PID 1152 set thread context of 1956	1152	wcsydrv.exe	190
PID 4740 set thread context of 2256	4740	wcsydrv.exe	193
PID 3296 set thread context of 860	3296	wcsydrv.exe	196
PID 4960 set thread context of 1656	4960	wcsydrv.exe	198
PID 404 set thread context of 808	404	wcsydrv.exe	200
PID 1816 set thread context of 4436	1816	wcsydrv.exe	202
PID 3060 set thread context of 3972	3060	wcsydrv.exe	204
PID 3956 set thread context of 4744	3956	wcsydrv.exe	206
PID 4100 set thread context of 2996	4100	wcsydrv.exe	208
PID 1256 set thread context of 2564	1256	wcsydrv.exe	210
PID 744 set thread context of 2404	744	wcsydrv.exe	212
PID 4732 set thread context of 5116	4732	wcsydrv.exe	214
PID 1408 set thread context of 5036	1408	wcsydrv.exe	216

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsydrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2400	3592	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	83
PID 2400 wrote to memory of 5108	2400	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	84
PID 2400 wrote to memory of 5108	2400	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	84
PID 2400 wrote to memory of 5108	2400	074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe	84
PID 5108 wrote to memory of 2436	5108	wcsydrv.exe	85
PID 5108 wrote to memory of 2436	5108	wcsydrv.exe	85
PID 5108 wrote to memory of 2436	5108	wcsydrv.exe	85
PID 5108 wrote to memory of 2436	5108	wcsydrv.exe	85
PID 5108 wrote to memory of 2436	5108	wcsydrv.exe	85
PID 2436 wrote to memory of 3344	2436	wcsydrv.exe	86
PID 2436 wrote to memory of 3344	2436	wcsydrv.exe	86
PID 2436 wrote to memory of 3344	2436	wcsydrv.exe	86
PID 3344 wrote to memory of 4932	3344	wcsydrv.exe	87
PID 3344 wrote to memory of 4932	3344	wcsydrv.exe	87
PID 3344 wrote to memory of 4932	3344	wcsydrv.exe	87
PID 3344 wrote to memory of 4932	3344	wcsydrv.exe	87
PID 3344 wrote to memory of 4932	3344	wcsydrv.exe	87
PID 4932 wrote to memory of 4168	4932	wcsydrv.exe	88
PID 4932 wrote to memory of 4168	4932	wcsydrv.exe	88
PID 4932 wrote to memory of 4168	4932	wcsydrv.exe	88
PID 4168 wrote to memory of 1976	4168	wcsydrv.exe	89
PID 4168 wrote to memory of 1976	4168	wcsydrv.exe	89
PID 4168 wrote to memory of 1976	4168	wcsydrv.exe	89
PID 4168 wrote to memory of 1976	4168	wcsydrv.exe	89
PID 4168 wrote to memory of 1976	4168	wcsydrv.exe	89
PID 1976 wrote to memory of 3464	1976	wcsydrv.exe	90
PID 1976 wrote to memory of 3464	1976	wcsydrv.exe	90
PID 1976 wrote to memory of 3464	1976	wcsydrv.exe	90
PID 3464 wrote to memory of 4892	3464	wcsydrv.exe	91
PID 3464 wrote to memory of 4892	3464	wcsydrv.exe	91
PID 3464 wrote to memory of 4892	3464	wcsydrv.exe	91
PID 3464 wrote to memory of 4892	3464	wcsydrv.exe	91
PID 3464 wrote to memory of 4892	3464	wcsydrv.exe	91
PID 4892 wrote to memory of 2440	4892	wcsydrv.exe	92
PID 4892 wrote to memory of 2440	4892	wcsydrv.exe	92
PID 4892 wrote to memory of 2440	4892	wcsydrv.exe	92
PID 2440 wrote to memory of 860	2440	wcsydrv.exe	93
PID 2440 wrote to memory of 860	2440	wcsydrv.exe	93
PID 2440 wrote to memory of 860	2440	wcsydrv.exe	93
PID 2440 wrote to memory of 860	2440	wcsydrv.exe	93
PID 2440 wrote to memory of 860	2440	wcsydrv.exe	93
PID 860 wrote to memory of 264	860	wcsydrv.exe	94
PID 860 wrote to memory of 264	860	wcsydrv.exe	94
PID 860 wrote to memory of 264	860	wcsydrv.exe	94
PID 264 wrote to memory of 3208	264	wcsydrv.exe	95
PID 264 wrote to memory of 3208	264	wcsydrv.exe	95
PID 264 wrote to memory of 3208	264	wcsydrv.exe	95
PID 264 wrote to memory of 3208	264	wcsydrv.exe	95
PID 264 wrote to memory of 3208	264	wcsydrv.exe	95
PID 3208 wrote to memory of 1652	3208	wcsydrv.exe	96
PID 3208 wrote to memory of 1652	3208	wcsydrv.exe	96
PID 3208 wrote to memory of 1652	3208	wcsydrv.exe	96
PID 1652 wrote to memory of 808	1652	wcsydrv.exe	97
PID 1652 wrote to memory of 808	1652	wcsydrv.exe	97
PID 1652 wrote to memory of 808	1652	wcsydrv.exe	97
PID 1652 wrote to memory of 808	1652	wcsydrv.exe	97
PID 1652 wrote to memory of 808	1652	wcsydrv.exe	97
PID 808 wrote to memory of 3696	808	wcsydrv.exe	98
PID 808 wrote to memory of 3696	808	wcsydrv.exe	98
PID 808 wrote to memory of 3696	808	wcsydrv.exe	98

C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Modifies WinLogon
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
    "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3344
      - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        8⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        12⤵
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        16⤵
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        18⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        20⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        26⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        28⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        34⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        36⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        38⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        40⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies WinLogon
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies WinLogon
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        46⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        48⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        52⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        54⤵
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        56⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        58⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies WinLogon
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        60⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        64⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        66⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        68⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        69⤵
        Suspicious use of SetThreadContext
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        70⤵
        Checks computer location settings
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        72⤵
        Adds Run key to start application
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        73⤵
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        74⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        76⤵
        Adds policy Run key to start application
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        78⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        80⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        81⤵
        Suspicious use of SetThreadContext
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        82⤵
        Modifies WinLogon
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        83⤵
        Suspicious use of SetThreadContext
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        84⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        86⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        87⤵
        Suspicious use of SetThreadContext
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        88⤵
        Checks computer location settings
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        90⤵
        Modifies WinLogon
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        91⤵
        Suspicious use of SetThreadContext
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        92⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        93⤵
        Suspicious use of SetThreadContext
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        94⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        95⤵
        Suspicious use of SetThreadContext
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        96⤵
        Adds Run key to start application
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        98⤵
        Adds Run key to start application
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        100⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        101⤵
        Suspicious use of SetThreadContext
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        102⤵
        Adds policy Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        105⤵
        Suspicious use of SetThreadContext
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        106⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        107⤵
        Suspicious use of SetThreadContext
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        108⤵
        Adds Run key to start application
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        109⤵
        Suspicious use of SetThreadContext
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        110⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        111⤵
        Suspicious use of SetThreadContext
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        112⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        113⤵
        Suspicious use of SetThreadContext
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        114⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        116⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        118⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        119⤵
        Suspicious use of SetThreadContext
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        120⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        121⤵
        Suspicious use of SetThreadContext
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        122⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        123⤵
        Suspicious use of SetThreadContext
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        124⤵
        Adds policy Run key to start application
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        125⤵
        Suspicious use of SetThreadContext
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        126⤵
        Adds policy Run key to start application
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        127⤵
        Suspicious use of SetThreadContext
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        128⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        129⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        130⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        131⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        132⤵
        Modifies WinLogon
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        133⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        134⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        135⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        136⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        138⤵
        Checks computer location settings
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        139⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        140⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        141⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        142⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        143⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        144⤵
        Modifies WinLogon
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        145⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        146⤵
        Modifies WinLogon
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        148⤵
        Adds Run key to start application
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        149⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        150⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        152⤵
        Adds policy Run key to start application
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        153⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        154⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        155⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        156⤵
        Checks computer location settings
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        158⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        159⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        160⤵
        Adds policy Run key to start application
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        161⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        162⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        163⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        164⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        165⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        166⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        168⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        169⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        170⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        171⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        172⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        174⤵
        Adds Run key to start application
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        175⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        176⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        177⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        178⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        179⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        180⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        181⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        182⤵
        Checks computer location settings
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        183⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        184⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        185⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        186⤵
        Modifies WinLogon
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        187⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        188⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        189⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        190⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        192⤵
        Modifies WinLogon
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        193⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        194⤵
        Modifies WinLogon
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        195⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        197⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        198⤵
        Checks computer location settings
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        199⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        200⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        201⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        202⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        203⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        204⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        205⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        206⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        207⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        208⤵
        Adds Run key to start application
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        209⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        211⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        212⤵
        Modifies WinLogon
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        213⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        214⤵
        Adds Run key to start application
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        215⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        216⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        217⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        218⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        219⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        220⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        221⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        222⤵
        Checks computer location settings
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        223⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        224⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        225⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        226⤵
        Adds Run key to start application
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        227⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        228⤵
        Checks computer location settings
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        229⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        231⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        232⤵
        Adds Run key to start application
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        233⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        234⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        235⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        236⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        237⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        238⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        239⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        240⤵
        Adds policy Run key to start application
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        241⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        242⤵
        Adds policy Run key to start application
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        243⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        244⤵
        Modifies WinLogon
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        245⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        246⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        247⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        248⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        249⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        250⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        251⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        252⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        253⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        254⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        255⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        256⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        257⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        258⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        259⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        260⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        261⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        262⤵
        Modifies WinLogon
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        263⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        264⤵
        Modifies WinLogon
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        265⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        266⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        267⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        268⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        269⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        270⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        271⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        272⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        274⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        276⤵
        Adds Run key to start application
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        277⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        278⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        279⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        280⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        281⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        282⤵
        Adds policy Run key to start application
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        283⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        284⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        285⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        286⤵
        Adds policy Run key to start application
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        287⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        288⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        289⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        290⤵
        Adds policy Run key to start application
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        291⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        292⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        293⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        294⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        295⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        296⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        297⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        298⤵
        Adds Run key to start application
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        299⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        300⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        302⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        303⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        304⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        305⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        306⤵
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        307⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        308⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        309⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        310⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        311⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        312⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        313⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        314⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        315⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        316⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        318⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        319⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        320⤵
        Checks computer location settings
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        321⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        322⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        323⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        324⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        325⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        326⤵
        Modifies WinLogon
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        327⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        328⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        329⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        330⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        331⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        332⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        334⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        335⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        336⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        337⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        338⤵
        Adds policy Run key to start application
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        339⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        340⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        341⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        342⤵
        Checks computer location settings
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        343⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        344⤵
        Adds Run key to start application
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        345⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        346⤵
        Modifies WinLogon
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        347⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        348⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        349⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        350⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        351⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        352⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        353⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        354⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        355⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        356⤵
        Adds Run key to start application
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        357⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        358⤵
        Modifies WinLogon
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        359⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        360⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        361⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        362⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        363⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        364⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        365⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        366⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        367⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        368⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        369⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        370⤵
        Adds policy Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        371⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        372⤵
        Modifies WinLogon
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        373⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        374⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        375⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        376⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        377⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        378⤵
        Adds policy Run key to start application
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        379⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        380⤵
        Adds Run key to start application
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        381⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        382⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        383⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        384⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        385⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        386⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        387⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        388⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        390⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        391⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        392⤵
        Adds policy Run key to start application
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        393⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        394⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        395⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        396⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        397⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        398⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        399⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        400⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        401⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        402⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        403⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        404⤵
        Modifies WinLogon
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        405⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        406⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        407⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        408⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        409⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        410⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        411⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        412⤵
        Adds policy Run key to start application
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        413⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        414⤵
        Adds Run key to start application
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        415⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        416⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        417⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        418⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        419⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        420⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        421⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        422⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        423⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        424⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        425⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        426⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        427⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        428⤵
        Adds Run key to start application
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        429⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        430⤵
        Checks computer location settings
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        431⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        432⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        433⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        434⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        435⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        436⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        437⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        438⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        439⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        440⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        441⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        442⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        443⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        444⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        445⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        446⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        447⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        448⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        449⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        450⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        451⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        452⤵
        Adds Run key to start application
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        453⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        454⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        455⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        456⤵
        Modifies WinLogon
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        457⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        458⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        459⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        460⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        461⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        462⤵
        Adds policy Run key to start application
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        463⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        464⤵
        Adds policy Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        465⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        466⤵
        Adds policy Run key to start application
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        467⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        468⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        469⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        470⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        471⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        472⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        473⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        474⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        475⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        476⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        477⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        478⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        479⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        480⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        481⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        482⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        483⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        484⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        485⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        486⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        487⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        488⤵
        Adds policy Run key to start application
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        489⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        490⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        491⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        492⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        493⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        494⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        495⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        496⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        497⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        498⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        499⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        500⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        501⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        503⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        504⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        505⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        506⤵
        Adds policy Run key to start application
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        507⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        508⤵
        Adds Run key to start application
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        509⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        510⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        511⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        512⤵
        Modifies WinLogon
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        513⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        514⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        515⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        516⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        517⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        518⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        519⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        520⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        521⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        522⤵
        Adds policy Run key to start application
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        523⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        524⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        525⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        526⤵
        Modifies WinLogon
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        527⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        528⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        529⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        530⤵
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        531⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        532⤵
        Adds policy Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        533⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        534⤵
        Adds policy Run key to start application
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        535⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        536⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        537⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        538⤵
        Adds policy Run key to start application
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        539⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        540⤵
        Modifies WinLogon
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        541⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        542⤵
        Adds policy Run key to start application
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        543⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        544⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        545⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        546⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        547⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        548⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        549⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        550⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        551⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        552⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        553⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        554⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        555⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        556⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        557⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        558⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        559⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        560⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        561⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        562⤵
        Adds Run key to start application
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        563⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        564⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        565⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        566⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        567⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        568⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        569⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        570⤵
        Adds policy Run key to start application
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        571⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        572⤵
        Modifies WinLogon
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        573⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        574⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        575⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        576⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        577⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        578⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        579⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        580⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        581⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        582⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        583⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        584⤵
        Adds Run key to start application
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        585⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        586⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        587⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        588⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        589⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        590⤵
        Adds Run key to start application
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        591⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        592⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        593⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        594⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        595⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        596⤵
        Modifies WinLogon
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        597⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        598⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        599⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        600⤵
        Adds Run key to start application
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        601⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        602⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        603⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        604⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        605⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        606⤵
        Adds policy Run key to start application
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        607⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        608⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        609⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        610⤵
        Modifies WinLogon
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        611⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        612⤵
        Adds Run key to start application
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        613⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        614⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        615⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        616⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        617⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        618⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        619⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        620⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        621⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        622⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        623⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        624⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        625⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        626⤵
        Adds Run key to start application
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        627⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        628⤵
        Adds Run key to start application
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        629⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        630⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        631⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        632⤵
        Modifies WinLogon
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        633⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        634⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        635⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        636⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        637⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        638⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        639⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        640⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        641⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        642⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        643⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        644⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        645⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        646⤵
        Checks computer location settings
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        647⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        648⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        649⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        650⤵
        Checks computer location settings
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        651⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        652⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        653⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        654⤵
        Adds policy Run key to start application
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        655⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        656⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        657⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        658⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        659⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        660⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        661⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        662⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        663⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        664⤵
        Adds Run key to start application
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        665⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        666⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        667⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        668⤵
        Adds policy Run key to start application
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        669⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        670⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        671⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        672⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        673⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        674⤵
        Adds Run key to start application
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        675⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        676⤵
        Adds policy Run key to start application
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        677⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        678⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        679⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        680⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        681⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        682⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        683⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        684⤵
        Adds Run key to start application
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        685⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        686⤵
        Modifies WinLogon
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        687⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        688⤵
        Adds policy Run key to start application
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        689⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        690⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        691⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        692⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        693⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        694⤵
        Modifies WinLogon
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        695⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        696⤵
        
        PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
73KB

MD5
074c415b7ff6216759269472e63ef44d

SHA1
238dfa827dcaa7ac3f48d30909abd20ecfedbb8e

SHA256
e776bac009401a8690377b7b49ba6ff61aea4eea48e1d3f208284556292fefc3

SHA512
8b93a53a7620a069ac046484f6c3ace792a8e83b6425d90de4b582f03d2dae3d2e531754708d4d7b9e2b5189b070f734cba9f43f084d11fd6615d5c9cb4ff81b

Download Submit
memory/392-113-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/512-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/808-131-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/808-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/860-129-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/860-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/968-119-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1096-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1140-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1400-114-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-118-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1528-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1548-116-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1652-108-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1656-130-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1940-110-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1956-127-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1960-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1976-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1988-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2192-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-128-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2400-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2400-126-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2404-115-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2404-137-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2440-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2488-125-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2500-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2564-136-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2788-101-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2996-135-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3164-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3200-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3208-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3248-120-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3344-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3548-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3696-109-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3700-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3708-117-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3724-123-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3956-111-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3972-133-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4100-112-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4220-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4284-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4436-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4460-78-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-124-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4568-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4744-134-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4812-122-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4892-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4932-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4932-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4972-121-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5036-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5064-107-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-138-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads