neshta | 938a4f66e8d694b129da1443341cdb731d9d6d8410d4d8ca90700b76f9e0e719

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
Size

364KB
MD5

32108bd2710ad6e446e2a9ae7c56bff6
SHA1

7eec7141af3bfc04af9017d2259f4115916a56ee
SHA256

938a4f66e8d694b129da1443341cdb731d9d6d8410d4d8ca90700b76f9e0e719
SHA512

3a7cb00bd8718eb524f321bb5e5cf403f9a546de1c56bed105a88f6dbc273914e7463942db05164d2a3d4c8001c2821cbd8c35fae65c4b5c0d7ccf62545be316
SSDEEP

6144:PuqgQ/Y2iY1fHAmRd3VVdqM182P906ZY94NGTuq:xxx1fgm7VVUMDVI9O

Score

10^/10

neshta adware discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

pid	Process
2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2892	svchost.com
2748	32108B~1.EXE
2676	svchost.com
2628	32108B~1.EXE
2316	svchost.com
2816	32108B~1.EXE
2164	svchost.com
2060	32108B~1.EXE
1472	svchost.com
2828	32108B~1.EXE
2920	svchost.com
1468	32108B~1.EXE
2252	svchost.com
2204	32108B~1.EXE
2200	svchost.com
2172	32108B~1.EXE
2964	svchost.com
1648	32108B~1.EXE
1620	svchost.com
2108	32108B~1.EXE
3060	svchost.com
1960	32108B~1.EXE
1212	svchost.com
2056	32108B~1.EXE
2456	svchost.com
2528	32108B~1.EXE
984	svchost.com
2724	32108B~1.EXE
2772	svchost.com
2820	32108B~1.EXE
2612	svchost.com
2592	32108B~1.EXE
2740	svchost.com
2616	32108B~1.EXE
1108	svchost.com
2316	32108B~1.EXE
1416	svchost.com
2124	32108B~1.EXE
2660	svchost.com
2840	32108B~1.EXE
2952	svchost.com
1040	32108B~1.EXE
2268	svchost.com
2756	32108B~1.EXE
968	svchost.com
588	32108B~1.EXE
1764	svchost.com
2224	32108B~1.EXE
796	svchost.com
2368	32108B~1.EXE
2148	svchost.com
1076	32108B~1.EXE
2172	svchost.com
1136	32108B~1.EXE
2948	svchost.com
1708	32108B~1.EXE
1000	svchost.com
3056	32108B~1.EXE
1536	svchost.com
608	32108B~1.EXE
1068	svchost.com
3000	32108B~1.EXE
2264	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2892	svchost.com
2892	svchost.com
2676	svchost.com
2676	svchost.com
2316	svchost.com
2316	svchost.com
2164	svchost.com
2164	svchost.com
1472	svchost.com
1472	svchost.com
2920	svchost.com
2920	svchost.com
2252	svchost.com
2252	svchost.com
3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2200	svchost.com
2200	svchost.com
2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2964	svchost.com
2964	svchost.com
1620	svchost.com
1620	svchost.com
3060	svchost.com
3060	svchost.com
1212	svchost.com
1212	svchost.com
2456	svchost.com
2456	svchost.com
984	svchost.com
984	svchost.com
2772	svchost.com
2772	svchost.com
2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
2612	svchost.com
2612	svchost.com
2740	svchost.com
2740	svchost.com
1108	svchost.com
1108	svchost.com
1416	svchost.com
1416	svchost.com
2660	svchost.com
2660	svchost.com
2952	svchost.com
2952	svchost.com
2268	svchost.com
2268	svchost.com
968	svchost.com
968	svchost.com
1764	svchost.com
1764	svchost.com
796	svchost.com
796	svchost.com
2148	svchost.com
2148	svchost.com
2172	svchost.com
2172	svchost.com
2948	svchost.com
2948	svchost.com
1000	svchost.com
1000	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-47-259558254	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-07-259577520	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-14-259584618	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-50-259500455	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-06-259516680	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-34-259604898	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-01-259511610	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-52-259562310	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-11-259581576	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-35-259605912	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-06-259516680	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-36-259547100	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-30-259541016	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-31-259542030	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-42-259553184	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-25-259595772	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-30-259481189	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-07-259517694	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-14-259524792	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-33-259484231	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-53-259503497	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-47-259497429	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-04-259514652	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-43-259554198	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-39-259489301	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-45-259495385	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-05-259515681	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-05-259515681	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-41-259491329	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-54-259504511	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-27-259597800	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-31-259601856	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-45-259495385	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-43-259554198	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-49-259560282	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-08-259518708	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-33-259544058	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-06-259576506	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-32-259602870	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-35-259546086	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-56-259566366	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-10-259580562	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-17-259587660	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-30-259600842	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-52-259502483	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-29-259540002	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-03-259573464	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-19-259589688	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-34-259545072	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-02-259572450	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-28-259598814	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-50-259561296	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-16-259586646	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-38-259549128	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-41-259552170	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-17-259587660	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-12-259522764	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-37-259548114	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-27-259537974	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-55-259565352	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-07-259577520	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-53-259503497	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-00-259510595	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-08-259578534	bpk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000187a2-1932.dat	nsis_installer_1

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	bpk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
392	bpk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
392	bpk.exe
392	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe
392	bpk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2776	3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2776	3020	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2892	2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2892	2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2892	2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2892	2776	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	31
PID 2892 wrote to memory of 2748	2892	svchost.com	32
PID 2892 wrote to memory of 2748	2892	svchost.com	32
PID 2892 wrote to memory of 2748	2892	svchost.com	32
PID 2892 wrote to memory of 2748	2892	svchost.com	32
PID 2748 wrote to memory of 2676	2748	32108B~1.EXE	33
PID 2748 wrote to memory of 2676	2748	32108B~1.EXE	33
PID 2748 wrote to memory of 2676	2748	32108B~1.EXE	33
PID 2748 wrote to memory of 2676	2748	32108B~1.EXE	33
PID 2676 wrote to memory of 2628	2676	svchost.com	34
PID 2676 wrote to memory of 2628	2676	svchost.com	34
PID 2676 wrote to memory of 2628	2676	svchost.com	34
PID 2676 wrote to memory of 2628	2676	svchost.com	34
PID 2628 wrote to memory of 2316	2628	32108B~1.EXE	66
PID 2628 wrote to memory of 2316	2628	32108B~1.EXE	66
PID 2628 wrote to memory of 2316	2628	32108B~1.EXE	66
PID 2628 wrote to memory of 2316	2628	32108B~1.EXE	66
PID 2316 wrote to memory of 2816	2316	svchost.com	36
PID 2316 wrote to memory of 2816	2316	svchost.com	36
PID 2316 wrote to memory of 2816	2316	svchost.com	36
PID 2316 wrote to memory of 2816	2316	svchost.com	36
PID 2816 wrote to memory of 2164	2816	32108B~1.EXE	37
PID 2816 wrote to memory of 2164	2816	32108B~1.EXE	37
PID 2816 wrote to memory of 2164	2816	32108B~1.EXE	37
PID 2816 wrote to memory of 2164	2816	32108B~1.EXE	37
PID 2164 wrote to memory of 2060	2164	svchost.com	38
PID 2164 wrote to memory of 2060	2164	svchost.com	38
PID 2164 wrote to memory of 2060	2164	svchost.com	38
PID 2164 wrote to memory of 2060	2164	svchost.com	38
PID 2060 wrote to memory of 1472	2060	32108B~1.EXE	39
PID 2060 wrote to memory of 1472	2060	32108B~1.EXE	39
PID 2060 wrote to memory of 1472	2060	32108B~1.EXE	39
PID 2060 wrote to memory of 1472	2060	32108B~1.EXE	39
PID 1472 wrote to memory of 2828	1472	svchost.com	40
PID 1472 wrote to memory of 2828	1472	svchost.com	40
PID 1472 wrote to memory of 2828	1472	svchost.com	40
PID 1472 wrote to memory of 2828	1472	svchost.com	40
PID 2828 wrote to memory of 2920	2828	32108B~1.EXE	41
PID 2828 wrote to memory of 2920	2828	32108B~1.EXE	41
PID 2828 wrote to memory of 2920	2828	32108B~1.EXE	41
PID 2828 wrote to memory of 2920	2828	32108B~1.EXE	41
PID 2920 wrote to memory of 1468	2920	svchost.com	42
PID 2920 wrote to memory of 1468	2920	svchost.com	42
PID 2920 wrote to memory of 1468	2920	svchost.com	42
PID 2920 wrote to memory of 1468	2920	svchost.com	42
PID 1468 wrote to memory of 2252	1468	32108B~1.EXE	43
PID 1468 wrote to memory of 2252	1468	32108B~1.EXE	43
PID 1468 wrote to memory of 2252	1468	32108B~1.EXE	43
PID 1468 wrote to memory of 2252	1468	32108B~1.EXE	43
PID 2252 wrote to memory of 2204	2252	svchost.com	44
PID 2252 wrote to memory of 2204	2252	svchost.com	44
PID 2252 wrote to memory of 2204	2252	svchost.com	44
PID 2252 wrote to memory of 2204	2252	svchost.com	44
PID 2204 wrote to memory of 2200	2204	32108B~1.EXE	45
PID 2204 wrote to memory of 2200	2204	32108B~1.EXE	45
PID 2204 wrote to memory of 2200	2204	32108B~1.EXE	45
PID 2204 wrote to memory of 2200	2204	32108B~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        66⤵
        
        PID:308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        67⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        68⤵
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        69⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        70⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        71⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        72⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        73⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        74⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        75⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        76⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        77⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        78⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        79⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        80⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        81⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        83⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        84⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        86⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        87⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        88⤵
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        89⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        91⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        92⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        93⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        94⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        95⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        97⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        98⤵
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        99⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        100⤵
        Drops file in Windows directory
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        102⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        103⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        104⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        105⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        106⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        107⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        108⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        109⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        110⤵
        Drops file in Windows directory
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        111⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        112⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        113⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        114⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        115⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        116⤵
        
        PID:1412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        117⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        118⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        120⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        121⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        122⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        123⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        124⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        126⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        127⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        128⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        130⤵
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        131⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        133⤵
        Drops file in Windows directory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        134⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        135⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        136⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        137⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        138⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        140⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        141⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        143⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        144⤵
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        145⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        146⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        147⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        149⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        150⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        151⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        152⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        153⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        154⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        156⤵
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        158⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        159⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        160⤵
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        162⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        163⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        164⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        165⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        166⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        167⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        169⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        170⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        171⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        172⤵
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        173⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        174⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        175⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        177⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        178⤵
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        180⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        181⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        182⤵
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        184⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        187⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        188⤵
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        189⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        190⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        191⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        192⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        194⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        196⤵
        Drops file in Windows directory
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        197⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        198⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        199⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        200⤵
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        201⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        202⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        203⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        204⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        205⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        206⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        207⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        208⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        209⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        211⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        213⤵
        Drops file in Windows directory
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        214⤵
        Drops file in Windows directory
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        215⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        216⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        217⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        219⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        220⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        221⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        222⤵
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        223⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        224⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        225⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        226⤵
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        227⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        228⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        229⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        230⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        236⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        237⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        238⤵
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        239⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        240⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        241⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        242⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        243⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        244⤵
        Drops file in Windows directory
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        246⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        247⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        248⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        250⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        251⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        253⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        255⤵
        Drops file in Windows directory
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        256⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        257⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        258⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        259⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        260⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        261⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        262⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        263⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        264⤵
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        265⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        266⤵
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        268⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        269⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        270⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        272⤵
        
        PID:288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        273⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        275⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        276⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        277⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        278⤵
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        279⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        280⤵
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        281⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        282⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        283⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        284⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        285⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        286⤵
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        287⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        289⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        290⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        291⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        292⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        293⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        294⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        295⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        296⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        298⤵
        
        PID:1412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        299⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        300⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        301⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        302⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        303⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        304⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        305⤵
        Drops file in Windows directory
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        307⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        308⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        309⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        310⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        311⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        313⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        314⤵
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        316⤵
        
        PID:264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        317⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        318⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        319⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        321⤵
        Drops file in Windows directory
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        322⤵
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        324⤵
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        325⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        326⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        327⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        328⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        329⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        330⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        331⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        332⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        333⤵
        Drops file in Windows directory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        334⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        335⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        336⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        338⤵
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        339⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        340⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        342⤵
        Drops file in Windows directory
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        343⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        344⤵
        Drops file in Windows directory
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        345⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        346⤵
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        347⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        348⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        349⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        350⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        351⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        352⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        354⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        355⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        356⤵
        
        PID:580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        357⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        359⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        361⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        362⤵
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        364⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        365⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        366⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        367⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        368⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        369⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        370⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        371⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        372⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        373⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        374⤵
        
        PID:608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        375⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        376⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        377⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        378⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        379⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        380⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        381⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        382⤵
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        383⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        384⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        385⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        386⤵
        Drops file in Windows directory
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        387⤵
        Drops file in Windows directory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        388⤵
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        389⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        390⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        391⤵
        Drops file in Windows directory
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        392⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        393⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        394⤵
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        395⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        396⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        397⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        398⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        399⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        400⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        401⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        402⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        403⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        405⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        406⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        407⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        408⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        409⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        410⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        411⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        412⤵
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        413⤵
        Drops file in Windows directory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        414⤵
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        415⤵
        Drops file in Windows directory
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        416⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        417⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        418⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        419⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        420⤵
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        421⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        422⤵
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        423⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        424⤵
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        425⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        426⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        427⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        428⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        429⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        430⤵
        Drops file in Windows directory
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        431⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        432⤵
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        433⤵
        Drops file in Windows directory
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        434⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
        435⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        436⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe"
        437⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe
        438⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\RarSFX0\
        439⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\bpk.exe
        
        C:\Windows\system32\bpk.exe
        437⤵
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
2142b0fff4fbaaaa52bb901730f4b58c

SHA1
8c139ed4e04bb6413200716f0567bf76262e3051

SHA256
da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54

SHA512
f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
939ca2abd7c11259121172f1809ca0d1

SHA1
36065fb4bcee5b9c008b15201068c9095fbd7b67

SHA256
9633055c3957362359da71275a97b9345303e74968293b943d63aa0ddd711a0c

SHA512
78a73e98127a3046fbc574b78dad605c0fec0ba43257d03849905cba2278b6ba44c2590f36871721094122e73488941dbed34fba6890c285f1b2745f48cdcd93

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
1bd32548884b3c856e40b1c4b2c7c1be

SHA1
71a8934e6a93720734c5da3e573781804790916c

SHA256
e7c3ef83d115a98ef4387fce71db23af764c53fcfa97f3db80f7b5442f7e4291

SHA512
120c93b076e50bfc1ef7ac007d742c8d211d23db31444ae7d68ed25ca371e26830a6f5080c3bc40f1b1039e5ba05cdb715c213b07b4d41653cb6a48368101532

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
1eb833dedf61e4c0d4d36fe1f4c4f9e6

SHA1
e530e69694513cf6ef33c7b3f5d11b2e4d8d21c9

SHA256
b88c6d6e0a64d510512dbddc966fd8d90cf72501a14a726d1e69a817b1546fac

SHA512
8ab8ab0530c07ec53049829428de83651f2fa422c59c494075a74ed59ded02281bb10968622e1f7f97a3e0cab447eb8451e70e3830dfdbfb8d07a6409c849450

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
171KB

MD5
c7f77b92107a9d00bb93cc862e0cabe9

SHA1
ce9e3a6d691ec5b39e3f24e75ca13dd6ac7853d5

SHA256
29ebf815005b550c62fec25ff428d057d85d9a2d57a515895337489ac73447fa

SHA512
58deb70ffa214b0ed2d8c91a17b13a3d04fee734378461b9a07fd2d893fae5466808ccfb627607794a6c2faa637a9a0b490b471434ceeb63f211e5eee45e9991

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.5MB

MD5
43562558439e7984af23b099691553db

SHA1
03b351094b4522e7b93c1921c5e03e63a62ef2c5

SHA256
495f12c170ceb3fdcd4ebba3be1c433ddef6aa0acf6b995d84fca41f7d9956a1

SHA512
6181cb6b263af20892afd01eb7b9a35cc651f8c603696f4109dd39c28b64854f238e8e3eefaf3e46b7a0c38eb0cb5ea289e44925e305224cde45d5dce2418251

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE

Filesize
283KB

MD5
4ce02c4ce9fce4e0abf5cc0eda9ddcc7

SHA1
27edd26a01b1e556857a36001e90eb52a15aba6d

SHA256
35018fb3e6aee62ead9f129fd554ce83f970e6aef2d0f4f4fe506b01ecea879f

SHA512
24065c3875fae1ad815dbe54ce7dfd7ad2f0fb3c8f1b2fdf44271911fc84a248451809a97af06508185a89ef3b00718b958d57c4d4c1542c371a1b4d167398b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Filesize
324KB

MD5
980c369f6192cb55b89c060c2fb16952

SHA1
a8c17729dadb79cd711c801c63d882e8afc38fd5

SHA256
1fad7c7a1dd18e6094db0b77b91ad286cfc2b8d45f4b353889aad7c94d0382d1

SHA512
43066bed647223822595b862e2c5abdd8f01f5f83af00bda8b211ca1bdfa321a57897e7e111dbf0482902c30a8f6237d52502de24de6ca1fb4ad46ae4c7f7d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
47KB

MD5
d919e46f6854a05fb2300d6c0c7c6ad5

SHA1
a72798d3d2058647f29f401d0e2440ff7cbb8cc1

SHA256
871a4d1b803c6d61eb86088ef2c13df71bca8530bf6456dc17cc33e0dfed871f

SHA512
e47d2bf36ea7953d24230a7a8175e715977510dd4e2f04f21b599061377af6656f28d6fb367244ca4de641efdfeb5b7a746dc912be82dca9b05a87bb688924ae

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
424KB

MD5
994ffae187f4e567c6efee378af66ad0

SHA1
0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

SHA256
f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

SHA512
bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

Download Submit
C:\Windows\SysWOW64\dt\2024-10-10_22-27-46-259496399

Filesize
40KB

MD5
107261879782c9af967d0de97fe1b1b0

SHA1
f9ba4de37b74193afdc915187428e16a90703228

SHA256
b2d35687f918b207e6128344fdff750e19ca1773e0a5b42e42426f5155d87c75

SHA512
dcc415940997aecd3b61619c8224a3adeee7b0b80e5bfa23c85a8ee31ae87ee01f1eb3089ae272ad9166c1e452974c96c1eafc0197978e6424bd25abac1c06dd

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-46-259496399

Filesize
9KB

MD5
0143b96a212a59413cd4d0454560cee5

SHA1
cc16166748f1a5eaba06f67bc480a0826a3f9386

SHA256
8cfc6f73b290b95addaadde22cf1f8a9338ae6161379dc4c0b615c945e98d3a1

SHA512
46a2c82333a32bc690c48a805d383197e12911f64f1381563b8823d6adb478786c33bed85ecfb00b399220232fd4b849fee63855f1cc27ed2f947bc5c26977b0

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-04-259514652

Filesize
9KB

MD5
256091833cecf3e6529f317ffbc20ec2

SHA1
22ad4914a5f174950414906c1ea498814a583a96

SHA256
9a49bff9981935612303b132741a6a93f5a5e807c55ff9fad30fa693f8a468b6

SHA512
7a9c5ef26025f4a4ef4aaa0302353d9cf1f09ab0179c757a64e49f58608b401b7d0445248b28de5b7d7505a298486847b7c020e1ea74f6176f1d72a80f7f369d

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-04-259574478

Filesize
9KB

MD5
7f649bc89684b48bbde7b4dcf43675ee

SHA1
17266dbf26dad32f77b9885779989eb08b54bb0b

SHA256
c5cde5868db4e2464f75e931e6dc5734afa95a7d365f00f9114cdc2af88fdd6f

SHA512
6114744ce70ddcfa7ae13baa03d57bfc48e9c0e5f4a23d5c8a04d31126b15ded827dbd8fe56790dad2406d51fe830dc3b7b760aa33e11f646044c84f7fb1c652

Download Submit
C:\Windows\SysWOW64\temporary.bmp

Filesize
206KB

MD5
dc84fc61db3b34b7559947265ddff88a

SHA1
c15a89c84f1202ab36221eebe7b11ee4af2919f9

SHA256
12d8f40a066fd048ea5574f371c1c8e91e79893457d924a703f37a0f41933b82

SHA512
230c9af5db21a7b3220bce336ddd814708d0400cd3ef4187be27113128be580d654811fed591c90360fe050fd7ef15d6fb587b8a61efdb452b22caf859d784f0

Download Submit
C:\Windows\SysWOW64\temporary.bmp

Filesize
226KB

MD5
de8fce09a3e3b347591cc423b2a0e894

SHA1
829e3fe3fd5399b2d97e928f7c8aaa59c5a6716d

SHA256
28d49d38de2e5cb2108ddcb963e18ed99956e9ff9e9ed100a69276809533c6b4

SHA512
2a1197f006829e93b7eae7712ca4b035e93c57c14969efc2ebb2b1da922d84fbbc5776a76425655911ebebc4048d56e523efe2350ec69a74b02ef5079cc3aeb1

Download Submit
C:\Windows\SysWOW64\temporary.bmp

Filesize
2.6MB

MD5
529d7e2670b36ffd26908a0d5bc8f3c0

SHA1
5f9f65623ba16faf881994927846331581a10c69

SHA256
237cfd81ad85094827b6ce49abe607bc9971484ebc54a8b6b4c67bf61580561f

SHA512
59972104d5c5af495173b4650545f193d6fbd48fde0925b23ffee3deba16d990cd3fb368ba4bf483a19afdd3e35e4bcdef812bc37bf88f3a1b14e73d6524513e

Download Submit
C:\Windows\SysWOW64\th_temp.bmp

Filesize
341KB

MD5
2fb8cbf5d3b74767fa7efb037e8e0953

SHA1
9d6293a0fd01f768691bce28754daee2d916dbd3

SHA256
1042a8cde1759be4a782851ee3bc3a0662d13b8608c5dd4e6d594d8385a9d7a3

SHA512
9e7e2f98720f654eb2144b3cbe6f9201c182698caf855a196661bb38e187b3162c168bbcbaad0f88a7c92edf6e50b72c7a57ea7cdab3936ad25bb659bac66a5e

Download Submit
C:\Windows\SysWOW64\th_temp.bmp

Filesize
341KB

MD5
982cd64c6d66ac198c080dc7f8962c09

SHA1
0ce888abeb09b57a7b349899c0c190483af681d5

SHA256
ec21005361cb009749dabe00d51de2c27f00121aa0e63d2e4212a8b6e65e8f56

SHA512
2382d11d0ad5ab2d50ea7086c1bcf4c01b26c3bd4f4525afa3bf9f9e47106d4e2fc42a0926d5cace1ce8fbae1f044e0334cd22aac7e9b085e3fb768845a09a36

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
fd651b26749b4d8b4d2d0f09339be90a

SHA1
0c10f1a739f8446edecde1dbeb1761862cfcc8c4

SHA256
dde104bb2fb56778a639e642b3f97ecf0c5c50143c2ccb75480d457ac3105dfc

SHA512
09f4b87a24d8aecca936ed4bd0e21e870e319bf56eb83c54a0f9d15e1acbb63834e0d64bcf0c5b640fe125f61233d87b33c17511b838063bd4b47c1ef04359bc

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
a6d71c62f8664bdc23654dc629587f1d

SHA1
920da2e650dbff477bef30282e75081f10d82fe1

SHA256
84af23542cf7b23bf5db86e9c94187a2ac1af37ccbe6ccf0d2261e81ab01849f

SHA512
66dd1652fe1a76d2d8238134259951f2d1789990f18b635cfd6ede8ec5e7f9dc3fb133b13c328ebc10336e80468f6be74779956eb0337c68b4414f6d57a835ab

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ae0959989263c327ff6127b9fd5615b0

SHA1
ec1c37a7696545af2a76e7d03a16a089e6b8a406

SHA256
820f2ceecbdd5d8f8ef91dfef61fb7e7797219da2d820234a866894362da6c65

SHA512
d43c0d7be2001384fe1a7dbf997cdda04954cb7449101015d67d095b2dbe4323c5b9f84db0c2e16e1cc6fdbd25346eb95b72985a6b501c85ba7adb4206218538

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e44fce16321f32173722d37406574f72

SHA1
c1e56310f1fc5cececd61e5b627194300bc73c5d

SHA256
4058d40d93864177407d04733d58f3a69edb6c5617f9f6ae777e92f3da7b9676

SHA512
f5c5241c829bfe8c6e06dcc7ad83405d1566cdf47c21b599e3ee946d800735bad7c18371a832e0fb5acf399443dda4fa755fcf39e056a527ebfe652add7b4c67

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/308-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/588-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/608-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/796-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/968-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1000-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1040-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1076-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1212-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1416-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1468-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1960-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-186-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2148-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2172-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2172-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2616-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2628-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2724-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads