e849b0de5209dbb7a6e96f840ff17121fb2d147d231386d52a261f1f92945e38

Analysis

max time kernel
124s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Size

1.1MB
MD5

0c2b1dd5b9eb64ad6130c61826cf2864
SHA1

ac1c145695ee0aece971260fb1af2115de58c0fa
SHA256

e849b0de5209dbb7a6e96f840ff17121fb2d147d231386d52a261f1f92945e38
SHA512

734d12cc8c5ed780f6e254b08c9475ea17c26383f789caa8a4502b2f422e4d2505b2addfee15fa7dd3618f1cd7ae8118c3d22e3bcfe0ff08f41b3e65cef3c530
SSDEEP

24576:+JGrlbe0tPFPiB3Qz+9G/o1CWEzdFtVzGKm/0PbV4R:+JGrlbe0tPFaBAza0otEzdDVvm8zV4

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
4056	svchost.exe
2540	svchost.exe
2852	svchost.exe
1864	svchost.exe
1780	svchost.exe
3684	svchost.exe
692	svchost.exe
1388	svchost.exe
4756	svchost.exe
1496	svchost.exe
968	svchost.exe
1224	svchost.exe
2960	svchost.exe
2320	svchost.exe
4864	svchost.exe
5104	svchost.exe
2344	svchost.exe
856	svchost.exe
4136	svchost.exe
4856	svchost.exe
4696	svchost.exe
2508	svchost.exe
1056	svchost.exe
3096	svchost.exe
2576	svchost.exe
2392	svchost.exe
4016	svchost.exe
1524	svchost.exe
404	svchost.exe
376	svchost.exe
3400	svchost.exe
1884	svchost.exe
2088	svchost.exe
4808	svchost.exe
1308	svchost.exe
1612	svchost.exe
2116	svchost.exe
3992	svchost.exe
3592	svchost.exe
2684	svchost.exe
3080	svchost.exe
4784	svchost.exe
1824	svchost.exe
2376	svchost.exe
3620	svchost.exe
1036	svchost.exe
736	svchost.exe
3000	svchost.exe
4980	svchost.exe
548	svchost.exe
1860	svchost.exe
5036	svchost.exe
1956	svchost.exe
3612	svchost.exe
2236	svchost.exe
3120	svchost.exe
3152	svchost.exe
4496	svchost.exe
3160	svchost.exe
2432	svchost.exe
2364	svchost.exe
884	svchost.exe
1100	svchost.exe
1304	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe"	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\test\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 552 set thread context of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 4056 set thread context of 2540	4056	svchost.exe	91
PID 2852 set thread context of 1864	2852	svchost.exe	93
PID 1780 set thread context of 3684	1780	svchost.exe	95
PID 692 set thread context of 1388	692	svchost.exe	97
PID 4756 set thread context of 1496	4756	svchost.exe	99
PID 968 set thread context of 1224	968	svchost.exe	101
PID 2960 set thread context of 2320	2960	svchost.exe	103
PID 4864 set thread context of 5104	4864	svchost.exe	105
PID 2344 set thread context of 856	2344	svchost.exe	107
PID 4136 set thread context of 4856	4136	svchost.exe	109
PID 4696 set thread context of 2508	4696	svchost.exe	111
PID 1056 set thread context of 3096	1056	svchost.exe	113
PID 2576 set thread context of 2392	2576	svchost.exe	115
PID 4016 set thread context of 1524	4016	svchost.exe	117
PID 404 set thread context of 376	404	svchost.exe	121
PID 3400 set thread context of 1884	3400	svchost.exe	123
PID 2088 set thread context of 4808	2088	svchost.exe	125
PID 1308 set thread context of 1612	1308	svchost.exe	128
PID 2116 set thread context of 3992	2116	svchost.exe	131
PID 3592 set thread context of 2684	3592	svchost.exe	133
PID 3080 set thread context of 4784	3080	svchost.exe	135
PID 1824 set thread context of 2376	1824	svchost.exe	137
PID 3620 set thread context of 1036	3620	svchost.exe	139
PID 736 set thread context of 3000	736	svchost.exe	141
PID 4980 set thread context of 548	4980	svchost.exe	143
PID 1860 set thread context of 5036	1860	svchost.exe	145
PID 1956 set thread context of 3612	1956	svchost.exe	147
PID 2236 set thread context of 3120	2236	svchost.exe	150
PID 3152 set thread context of 4496	3152	svchost.exe	152
PID 3160 set thread context of 2432	3160	svchost.exe	154
PID 2364 set thread context of 884	2364	svchost.exe	156
PID 1100 set thread context of 1304	1100	svchost.exe	158
PID 2644 set thread context of 4324	2644	svchost.exe	160
PID 4848 set thread context of 5100	4848	svchost.exe	162
PID 4792 set thread context of 4884	4792	svchost.exe	164
PID 932 set thread context of 4992	932	svchost.exe	166
PID 2536 set thread context of 2500	2536	svchost.exe	169
PID 112 set thread context of 4524	112	svchost.exe	172
PID 2636 set thread context of 3952	2636	svchost.exe	174
PID 2180 set thread context of 3252	2180	svchost.exe	176
PID 636 set thread context of 4620	636	svchost.exe	178
PID 1784 set thread context of 3908	1784	svchost.exe	180
PID 1100 set thread context of 372	1100	svchost.exe	182
PID 2416 set thread context of 4148	2416	svchost.exe	184
PID 3768 set thread context of 4476	3768	svchost.exe	186
PID 5012 set thread context of 2948	5012	svchost.exe	188
PID 2912 set thread context of 1960	2912	svchost.exe	190
PID 4112 set thread context of 1308	4112	svchost.exe	192
PID 2968 set thread context of 2080	2968	svchost.exe	194
PID 1092 set thread context of 3160	1092	svchost.exe	196
PID 2060 set thread context of 4172	2060	svchost.exe	198
PID 1520 set thread context of 4804	1520	svchost.exe	200
PID 1888 set thread context of 3736	1888	svchost.exe	202
PID 2644 set thread context of 1376	2644	svchost.exe	204
PID 1440 set thread context of 3904	1440	svchost.exe	206
PID 4792 set thread context of 932	4792	svchost.exe	208
PID 4012 set thread context of 2004	4012	svchost.exe	210
PID 3236 set thread context of 2112	3236	svchost.exe	212
PID 3036 set thread context of 4360	3036	svchost.exe	214
PID 2888 set thread context of 4396	2888	svchost.exe	216
PID 1348 set thread context of 4256	1348	svchost.exe	218
PID 316 set thread context of 3892	316	svchost.exe	220
PID 1548 set thread context of 3004	1548	svchost.exe	222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeSecurityPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeBackupPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeRestorePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeShutdownPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeDebugPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeUndockPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: 33	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: 34	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: 35	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: 36	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2540	svchost.exe
Token: SeSecurityPrivilege	2540	svchost.exe
Token: SeTakeOwnershipPrivilege	2540	svchost.exe
Token: SeLoadDriverPrivilege	2540	svchost.exe
Token: SeSystemProfilePrivilege	2540	svchost.exe
Token: SeSystemtimePrivilege	2540	svchost.exe
Token: SeProfSingleProcessPrivilege	2540	svchost.exe
Token: SeIncBasePriorityPrivilege	2540	svchost.exe
Token: SeCreatePagefilePrivilege	2540	svchost.exe
Token: SeBackupPrivilege	2540	svchost.exe
Token: SeRestorePrivilege	2540	svchost.exe
Token: SeShutdownPrivilege	2540	svchost.exe
Token: SeDebugPrivilege	2540	svchost.exe
Token: SeSystemEnvironmentPrivilege	2540	svchost.exe
Token: SeChangeNotifyPrivilege	2540	svchost.exe
Token: SeRemoteShutdownPrivilege	2540	svchost.exe
Token: SeUndockPrivilege	2540	svchost.exe
Token: SeManageVolumePrivilege	2540	svchost.exe
Token: SeImpersonatePrivilege	2540	svchost.exe
Token: SeCreateGlobalPrivilege	2540	svchost.exe
Token: 33	2540	svchost.exe
Token: 34	2540	svchost.exe
Token: 35	2540	svchost.exe
Token: 36	2540	svchost.exe
Token: SeIncreaseQuotaPrivilege	1864	svchost.exe
Token: SeSecurityPrivilege	1864	svchost.exe
Token: SeTakeOwnershipPrivilege	1864	svchost.exe
Token: SeLoadDriverPrivilege	1864	svchost.exe
Token: SeSystemProfilePrivilege	1864	svchost.exe
Token: SeSystemtimePrivilege	1864	svchost.exe
Token: SeProfSingleProcessPrivilege	1864	svchost.exe
Token: SeIncBasePriorityPrivilege	1864	svchost.exe
Token: SeCreatePagefilePrivilege	1864	svchost.exe
Token: SeBackupPrivilege	1864	svchost.exe
Token: SeRestorePrivilege	1864	svchost.exe
Token: SeShutdownPrivilege	1864	svchost.exe
Token: SeDebugPrivilege	1864	svchost.exe
Token: SeSystemEnvironmentPrivilege	1864	svchost.exe
Token: SeChangeNotifyPrivilege	1864	svchost.exe
Token: SeRemoteShutdownPrivilege	1864	svchost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
4056	svchost.exe
2852	svchost.exe
1780	svchost.exe
692	svchost.exe
4756	svchost.exe
968	svchost.exe
2960	svchost.exe
4864	svchost.exe
2344	svchost.exe
4136	svchost.exe
4696	svchost.exe
1056	svchost.exe
2576	svchost.exe
4016	svchost.exe
404	svchost.exe
3400	svchost.exe
2088	svchost.exe
1308	svchost.exe
2116	svchost.exe
3592	svchost.exe
3080	svchost.exe
1824	svchost.exe
3620	svchost.exe
736	svchost.exe
4980	svchost.exe
1860	svchost.exe
1956	svchost.exe
2236	svchost.exe
3152	svchost.exe
3160	svchost.exe
2364	svchost.exe
1100	svchost.exe
2644	svchost.exe
4848	svchost.exe
4792	svchost.exe
932	svchost.exe
2536	svchost.exe
112	svchost.exe
2636	svchost.exe
2180	svchost.exe
636	svchost.exe
1784	svchost.exe
1100	svchost.exe
2416	svchost.exe
3768	svchost.exe
5012	svchost.exe
2912	svchost.exe
4112	svchost.exe
2968	svchost.exe
1092	svchost.exe
2060	svchost.exe
1520	svchost.exe
1888	svchost.exe
2644	svchost.exe
1440	svchost.exe
4792	svchost.exe
4012	svchost.exe
3236	svchost.exe
3036	svchost.exe
2888	svchost.exe
1348	svchost.exe
316	svchost.exe
1548	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 552 wrote to memory of 2528	552	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	87
PID 2528 wrote to memory of 4056	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	90
PID 2528 wrote to memory of 4056	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	90
PID 2528 wrote to memory of 4056	2528	0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe	90
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 4056 wrote to memory of 2540	4056	svchost.exe	91
PID 2540 wrote to memory of 2852	2540	svchost.exe	92
PID 2540 wrote to memory of 2852	2540	svchost.exe	92
PID 2540 wrote to memory of 2852	2540	svchost.exe	92
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 2852 wrote to memory of 1864	2852	svchost.exe	93
PID 1864 wrote to memory of 1780	1864	svchost.exe	94
PID 1864 wrote to memory of 1780	1864	svchost.exe	94
PID 1864 wrote to memory of 1780	1864	svchost.exe	94
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95
PID 1780 wrote to memory of 3684	1780	svchost.exe	95

C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\test\svchost.exe
    "C:\Windows\system32\test\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\test\svchost.exe
      C:\Windows\SysWOW64\test\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3684
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        10⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        18⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:856
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4856
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2508
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        26⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        30⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        34⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4808
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        38⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        42⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        48⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4980
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        54⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        58⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        62⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:884
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        66⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        68⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        72⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        74⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        76⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        78⤵
        Adds Run key to start application
        
        PID:4524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        80⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        82⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        86⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        88⤵
        
        PID:372
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        90⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        92⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        96⤵
        Checks computer location settings
        
        PID:1960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        98⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        102⤵
        Adds Run key to start application
        
        PID:3160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        104⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        106⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        108⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        110⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        112⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        114⤵
        Adds Run key to start application
        
        PID:932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        116⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        117⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        118⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        120⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        122⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        124⤵
        Adds Run key to start application
        
        PID:4256
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        125⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        126⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        128⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        129⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        130⤵
        Adds Run key to start application
        
        PID:4372
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        131⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        132⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        133⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        134⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        135⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        136⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        137⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        138⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        139⤵
        
        PID:496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        140⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        141⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        142⤵
        
        PID:980
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        143⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        144⤵
        Adds Run key to start application
        
        PID:744
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        145⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        147⤵
        
        PID:492
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        148⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        149⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        150⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        151⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        152⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        153⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        155⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        156⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        157⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        158⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        159⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        161⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        162⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        163⤵
        
        PID:560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        164⤵
        Checks computer location settings
        
        PID:2384
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        165⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        166⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        167⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        168⤵
        Checks computer location settings
        
        PID:3816
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        170⤵
        Adds Run key to start application
        
        PID:4948
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        171⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        172⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        173⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        175⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        176⤵
        Adds Run key to start application
        
        PID:2416
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        177⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        178⤵
        
        PID:700
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        179⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        180⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        181⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        182⤵
        
        PID:404
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        183⤵
        
        PID:496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        184⤵
        
        PID:628
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        185⤵
        
        PID:560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        186⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        187⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        188⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        190⤵
        Adds Run key to start application
        
        PID:316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        191⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        192⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        193⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        194⤵
        Checks computer location settings
        
        PID:4904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        195⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        196⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        197⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        198⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        199⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        200⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        202⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        203⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        204⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4204
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        205⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        207⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        209⤵
        
        PID:984
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        210⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        213⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        214⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        215⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        216⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        217⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        218⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        219⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        220⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        221⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        222⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        223⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        224⤵
        
        PID:652
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        225⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        226⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        227⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        228⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        229⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        230⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        231⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        232⤵
        Adds Run key to start application
        
        PID:1140
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        233⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        234⤵
        Adds Run key to start application
        
        PID:1972
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        235⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        236⤵
        
        PID:112
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        237⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        238⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        239⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        240⤵
        Adds Run key to start application
        
        PID:1704
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        241⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        242⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        243⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        244⤵
        Checks computer location settings
        
        PID:3900
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        245⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        246⤵
        
        PID:984
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        247⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        248⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        249⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        250⤵
        Checks computer location settings
        
        PID:2448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        251⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        252⤵
        
        PID:968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        253⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        254⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        255⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        256⤵
        Adds Run key to start application
        
        PID:2600
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        257⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        258⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        259⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        260⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        261⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        262⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        263⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        264⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        265⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        266⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        267⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        268⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        269⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        270⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        271⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        272⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        273⤵
        
        PID:560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        274⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        275⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        276⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        278⤵
        Checks computer location settings
        
        PID:4848
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        279⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        280⤵
        Checks computer location settings
        
        PID:4436
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        281⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        282⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        283⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        284⤵
        
        PID:336
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        285⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        286⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        287⤵
        
        PID:8
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        288⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        289⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        290⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        291⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        292⤵
        Adds Run key to start application
        
        PID:2108
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        293⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        294⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        295⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        296⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        297⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        298⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        299⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        301⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        302⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        303⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        304⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        305⤵
        
        PID:8
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        306⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        307⤵
        
        PID:216
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        308⤵
        Adds Run key to start application
        
        PID:1056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        309⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        310⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        311⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        312⤵
        Checks computer location settings
        
        PID:5092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        313⤵
        
        PID:400
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        314⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        315⤵
        
        PID:936
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        317⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        318⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        319⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        320⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        321⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        322⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        323⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        324⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        325⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        326⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        327⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        328⤵
        Checks computer location settings
        
        PID:448
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        329⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        330⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        331⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        332⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        333⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        334⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        335⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        336⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        337⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        338⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        339⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        340⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        341⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        342⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        343⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        344⤵
        
        PID:400
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        345⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        346⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        347⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        349⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        350⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        351⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        352⤵
        Adds Run key to start application
        
        PID:3340
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        353⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        354⤵
        
        PID:560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        355⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        356⤵
        Adds Run key to start application
        
        PID:3368
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        357⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        358⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        359⤵
        
        PID:8
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        360⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        361⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        362⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        363⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        364⤵
        Checks computer location settings
        
        PID:3588
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        365⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        367⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        368⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        369⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        370⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        371⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        372⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        373⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        374⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        375⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        376⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        377⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        378⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        379⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        380⤵
        Checks computer location settings
        
        PID:4012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        381⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        382⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        383⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        385⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        386⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        387⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        388⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        389⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        390⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        391⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        392⤵
        Checks computer location settings
        
        PID:4872
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        393⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        394⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        395⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        396⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3640
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        397⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        398⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        399⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        400⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        401⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        402⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        403⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        404⤵
        
        PID:936
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        405⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        406⤵
        Checks computer location settings
        
        PID:2852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        407⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        408⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        409⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        410⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        411⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        412⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        413⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        414⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        415⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        416⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        417⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        418⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        419⤵
        
        PID:488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        420⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        421⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        422⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        423⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        424⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        425⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        426⤵
        Checks computer location settings
        
        PID:1736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        427⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        428⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        429⤵
        
        PID:64
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        430⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        431⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        432⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        433⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        434⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        435⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        436⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        437⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        438⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        439⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        440⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        441⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        442⤵
        Checks computer location settings
        
        PID:2328
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        443⤵
        
        PID:808
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        444⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        445⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        446⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        447⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        448⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        449⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        450⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        451⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        452⤵
        Checks computer location settings
        
        PID:960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        453⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        454⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        455⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        456⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        457⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        458⤵
        Adds Run key to start application
        
        PID:4696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        459⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        460⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        461⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        462⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        463⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        464⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        465⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        466⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        467⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        468⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        469⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        470⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        471⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        472⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        473⤵
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        474⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        475⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        476⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        477⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        478⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        479⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        480⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        481⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        482⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        483⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        484⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        485⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        486⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        487⤵
        
        PID:636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        488⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        489⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        490⤵
        Adds Run key to start application
        
        PID:1440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        491⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        492⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        493⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        494⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        495⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        496⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        497⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        498⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        499⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        500⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        501⤵
        
        PID:488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        502⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        503⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        504⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        505⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        506⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        507⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        508⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        509⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        510⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        511⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        512⤵
        
        PID:488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        513⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        514⤵
        Checks computer location settings
        
        PID:1444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        515⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        516⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        517⤵
        
        PID:740
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        518⤵
        Adds Run key to start application
        
        PID:4736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        519⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        520⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        521⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        522⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        523⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        524⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        525⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        526⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4212
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        527⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        528⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        529⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        530⤵
        Adds Run key to start application
        
        PID:4428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        531⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        532⤵
        Adds Run key to start application
        
        PID:584
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        533⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        534⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        535⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        536⤵
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        537⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        538⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        539⤵
        
        PID:492
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        540⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        541⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        542⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        543⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        544⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        545⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        546⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        547⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        548⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        549⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        550⤵
        
        PID:648
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        551⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        552⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        553⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        554⤵
        Adds Run key to start application
        
        PID:4152
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        555⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        556⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        557⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        558⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        559⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        560⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        561⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        562⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        563⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        564⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        565⤵
        
        PID:740
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        566⤵
        Adds Run key to start application
        
        PID:2592
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        567⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        568⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        569⤵
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        570⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        571⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        572⤵
        Adds Run key to start application
        
        PID:524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        573⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        574⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        575⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        576⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        577⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        578⤵
        Checks computer location settings
        
        PID:4820
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        579⤵
        
        PID:584
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        580⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        581⤵
        
        PID:180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        582⤵
        
        PID:664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        583⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        584⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        585⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        586⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        587⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        588⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        589⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        590⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        591⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        592⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        593⤵
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        594⤵
        Checks computer location settings
        
        PID:2072
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        595⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        596⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        597⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        598⤵
        Adds Run key to start application
        
        PID:740
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        599⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        600⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        601⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        602⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        603⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        604⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        605⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        606⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        607⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        608⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        609⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        610⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        611⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        612⤵
        Adds Run key to start application
        
        PID:4352
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        613⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        614⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        615⤵
        
        PID:552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        616⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        617⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        618⤵
        Checks computer location settings
        
        PID:1008
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        619⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        620⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        621⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        622⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        623⤵
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        624⤵
        Adds Run key to start application
        
        PID:4588
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        625⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        626⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        627⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        628⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        629⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        630⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        631⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        632⤵
        Adds Run key to start application
        
        PID:3828
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        633⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        634⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        635⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        636⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        637⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        638⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        639⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        640⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        641⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        642⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        643⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        644⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3476
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        645⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        646⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        647⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        648⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        649⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        650⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        651⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        652⤵
        
        PID:180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        653⤵
        
        PID:552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        654⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        655⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        656⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        657⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        658⤵
        Checks computer location settings
        
        PID:1268
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        659⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        660⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        661⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        662⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        663⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        664⤵
        Checks computer location settings
        
        PID:4232
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        665⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        666⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        667⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        668⤵
        
        PID:800
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        669⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        670⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        671⤵
        
        PID:584
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        672⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        673⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        674⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        675⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        676⤵
        
        PID:584
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        677⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        678⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        679⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        680⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        681⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        682⤵
        Adds Run key to start application
        
        PID:1436
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        683⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        684⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        685⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        686⤵
        Checks computer location settings
        
        PID:5164
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        687⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        688⤵
        Adds Run key to start application
        
        PID:5260
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        689⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        690⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        691⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        692⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        693⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        694⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        695⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        696⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        697⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        698⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        699⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        700⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        701⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        702⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        703⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        704⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        705⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        706⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        707⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        708⤵
        Checks computer location settings
        
        PID:4996
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        709⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        710⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        711⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        712⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        713⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        714⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        715⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        716⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        717⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        718⤵
        Checks computer location settings
        
        PID:3744
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        719⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        720⤵
        Checks computer location settings
        
        PID:5968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        721⤵
        
        PID:764
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        722⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        723⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        724⤵
        Adds Run key to start application
        
        PID:6016
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        725⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        726⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        727⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        728⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        729⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        730⤵
        Adds Run key to start application
        
        PID:5264
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        731⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        732⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        733⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        734⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        735⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        736⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        737⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        738⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        739⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        740⤵
        Adds Run key to start application
        
        PID:3868
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        741⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        742⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        743⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        744⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        745⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        746⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        747⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        748⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        749⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        750⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        751⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        752⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        753⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        754⤵
        Adds Run key to start application
        
        PID:5572
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        755⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        756⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        757⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        758⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        759⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        760⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        761⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        762⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        763⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        764⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        765⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        766⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        767⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        768⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        769⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        770⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        771⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        772⤵
        
        PID:944
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        773⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        774⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        775⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        776⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        777⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        778⤵
        Checks computer location settings
        
        PID:5364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        779⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        780⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        781⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        782⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        783⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        784⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6064
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        785⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        786⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        787⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        788⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        789⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        790⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        791⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        792⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        793⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        794⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        795⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        796⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        797⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        798⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        799⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        800⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        801⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        802⤵
        
        PID:496
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        803⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        804⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        805⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        806⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        807⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        808⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        809⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        810⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        811⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        812⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        813⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        814⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        815⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        816⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        817⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        818⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        819⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        820⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        821⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        822⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        823⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        824⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        825⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        826⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        827⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        828⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        829⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        830⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        831⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        832⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        833⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        834⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        835⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        836⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        837⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        838⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        839⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        840⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        841⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        842⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        843⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        844⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        845⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        846⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        847⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        848⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        849⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        850⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        851⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        852⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        853⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        854⤵
        
        PID:748
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        855⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        856⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        857⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        858⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        859⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        860⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        861⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        862⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        863⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        864⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        865⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        866⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        867⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        868⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        869⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        870⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        871⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        872⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        873⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        874⤵
        
        PID:736
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        875⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        876⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        877⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        878⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        879⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        880⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        881⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        882⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        883⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        884⤵
        
        PID:440
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        885⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        886⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        887⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        888⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        889⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        890⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        891⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        892⤵
        
        PID:436
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        893⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        894⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        895⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        896⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        897⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        898⤵
        
        PID:808
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        899⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        900⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        901⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        902⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        903⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        904⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        905⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        906⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        907⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        C:\Windows\SysWOW64\test\svchost.exe
        908⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\test\svchost.exe
        
        "C:\Windows\system32\test\svchost.exe"
        909⤵
        
        PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1860

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\test\svchost.exe

Filesize
1.1MB

MD5
0c2b1dd5b9eb64ad6130c61826cf2864

SHA1
ac1c145695ee0aece971260fb1af2115de58c0fa

SHA256
e849b0de5209dbb7a6e96f840ff17121fb2d147d231386d52a261f1f92945e38

SHA512
734d12cc8c5ed780f6e254b08c9475ea17c26383f789caa8a4502b2f422e4d2505b2addfee15fa7dd3618f1cd7ae8118c3d22e3bcfe0ff08f41b3e65cef3c530

Download Submit
memory/856-110-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/856-109-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1224-81-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1224-79-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1224-78-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1388-58-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1388-59-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1388-60-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-70-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-69-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1496-68-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1864-41-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1864-39-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2320-90-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2320-89-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2320-88-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-4-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2528-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2540-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2540-28-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2540-29-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2540-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3684-50-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3684-49-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4856-118-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/5104-98-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/5104-99-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/5104-100-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads