neshta | 938a4f66e8d694b129da1443341cdb731d9d6d8410d4d8ca90700b76f9e0e719

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
Size

364KB
MD5

32108bd2710ad6e446e2a9ae7c56bff6
SHA1

7eec7141af3bfc04af9017d2259f4115916a56ee
SHA256

938a4f66e8d694b129da1443341cdb731d9d6d8410d4d8ca90700b76f9e0e719
SHA512

3a7cb00bd8718eb524f321bb5e5cf403f9a546de1c56bed105a88f6dbc273914e7463942db05164d2a3d4c8001c2821cbd8c35fae65c4b5c0d7ccf62545be316
SSDEEP

6144:PuqgQ/Y2iY1fHAmRd3VVdqM182P906ZY94NGTuq:xxx1fgm7VVUMDVI9O

Score

10^/10

neshta adware discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32108B~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
3112	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
3368	svchost.com
1280	32108B~1.EXE
2620	svchost.com
4460	32108B~1.EXE
436	svchost.com
1344	32108B~1.EXE
2280	svchost.com
232	32108B~1.EXE
3444	svchost.com
4780	32108B~1.EXE
2540	svchost.com
1308	32108B~1.EXE
1584	svchost.com
1716	32108B~1.EXE
2708	svchost.com
2216	32108B~1.EXE
3604	svchost.com
3136	32108B~1.EXE
736	svchost.com
4900	32108B~1.EXE
4280	svchost.com
3720	32108B~1.EXE
1336	svchost.com
2620	32108B~1.EXE
436	svchost.com
4084	32108B~1.EXE
3712	svchost.com
4808	32108B~1.EXE
232	svchost.com
3744	32108B~1.EXE
4652	svchost.com
1016	32108B~1.EXE
5112	svchost.com
4916	32108B~1.EXE
2872	svchost.com
5048	32108B~1.EXE
3532	svchost.com
2752	32108B~1.EXE
3440	svchost.com
2264	32108B~1.EXE
3156	svchost.com
3204	32108B~1.EXE
2676	svchost.com
4516	32108B~1.EXE
4648	svchost.com
5080	32108B~1.EXE
4564	svchost.com
3312	32108B~1.EXE
3368	svchost.com
1280	32108B~1.EXE
3720	svchost.com
2528	32108B~1.EXE
1704	svchost.com
4804	32108B~1.EXE
1036	svchost.com
2928	32108B~1.EXE
3712	svchost.com
2948	32108B~1.EXE
232	svchost.com
672	32108B~1.EXE
1560	svchost.com
2980	32108B~1.EXE
3076	svchost.com

Loads dropped DLL 5 IoCs

pid	Process
8	bpk.exe
8	bpk.exe
8	bpk.exe
2760	A~NSISu_.exe
3980	32108B~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-46-240647781	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-50-240712187	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-08-240730281	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-47-240648781	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-55-240656812	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-25-240687109	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-46-240708203	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-01-240662875	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-10-240671937	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-26-240688125	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-27-240689109	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-33-240695109	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-16-240678000	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-17-240679015	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-49-240650812	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-44-240706203	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-00-240722218	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-31-240752328	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-43-240644765	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-53-240654812	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-42-240704203	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-12-240733312	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-12-240673984	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-05-240727250	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-09-240731296	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-24-240745328	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-06-240728265	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-18-240680031	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-27-240689109	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-54-240716187	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-01-240723234	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-29-240750328	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-14-240676015	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-36-240698156	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-53-240715203	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-27-240748312	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-52-240653843	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-43-240705203	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-26-240747328	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-57-240658843	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-29-240691125	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-28-240690140	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-46-240647781	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-55-240717203	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-03-240725234	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-30-240751312	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-15-240677015	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-25-240687109	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-37-240699156	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-43-240705203	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-47-240648781	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-15-240736328	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-28-02-240663906	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-03-240664921	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-27-52-240653843	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-07-240729250	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-27-240748312	bpk.exe
File created	C:\Windows\SysWOW64\dt\2024-10-10_22-29-38-240759312	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-59-240721218	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-01-240662875	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-37-240699156	bpk.exe
File created	C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-56-240657875	bpk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\svchost.com	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	32108B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32108B~1.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023b7b-1306.dat	nsis_installer_1

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	rinst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32108B~1.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
8	bpk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
8	bpk.exe
8	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe
8	bpk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3112	4816	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	86
PID 4816 wrote to memory of 3112	4816	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	86
PID 4816 wrote to memory of 3112	4816	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	86
PID 3112 wrote to memory of 3368	3112	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	87
PID 3112 wrote to memory of 3368	3112	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	87
PID 3112 wrote to memory of 3368	3112	32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe	87
PID 3368 wrote to memory of 1280	3368	svchost.com	88
PID 3368 wrote to memory of 1280	3368	svchost.com	88
PID 3368 wrote to memory of 1280	3368	svchost.com	88
PID 1280 wrote to memory of 2620	1280	32108B~1.EXE	110
PID 1280 wrote to memory of 2620	1280	32108B~1.EXE	110
PID 1280 wrote to memory of 2620	1280	32108B~1.EXE	110
PID 2620 wrote to memory of 4460	2620	svchost.com	90
PID 2620 wrote to memory of 4460	2620	svchost.com	90
PID 2620 wrote to memory of 4460	2620	svchost.com	90
PID 4460 wrote to memory of 436	4460	32108B~1.EXE	111
PID 4460 wrote to memory of 436	4460	32108B~1.EXE	111
PID 4460 wrote to memory of 436	4460	32108B~1.EXE	111
PID 436 wrote to memory of 1344	436	svchost.com	92
PID 436 wrote to memory of 1344	436	svchost.com	92
PID 436 wrote to memory of 1344	436	svchost.com	92
PID 1344 wrote to memory of 2280	1344	32108B~1.EXE	93
PID 1344 wrote to memory of 2280	1344	32108B~1.EXE	93
PID 1344 wrote to memory of 2280	1344	32108B~1.EXE	93
PID 2280 wrote to memory of 232	2280	svchost.com	145
PID 2280 wrote to memory of 232	2280	svchost.com	145
PID 2280 wrote to memory of 232	2280	svchost.com	145
PID 232 wrote to memory of 3444	232	32108B~1.EXE	95
PID 232 wrote to memory of 3444	232	32108B~1.EXE	95
PID 232 wrote to memory of 3444	232	32108B~1.EXE	95
PID 3444 wrote to memory of 4780	3444	svchost.com	96
PID 3444 wrote to memory of 4780	3444	svchost.com	96
PID 3444 wrote to memory of 4780	3444	svchost.com	96
PID 4780 wrote to memory of 2540	4780	32108B~1.EXE	97
PID 4780 wrote to memory of 2540	4780	32108B~1.EXE	97
PID 4780 wrote to memory of 2540	4780	32108B~1.EXE	97
PID 2540 wrote to memory of 1308	2540	svchost.com	98
PID 2540 wrote to memory of 1308	2540	svchost.com	98
PID 2540 wrote to memory of 1308	2540	svchost.com	98
PID 1308 wrote to memory of 1584	1308	32108B~1.EXE	99
PID 1308 wrote to memory of 1584	1308	32108B~1.EXE	99
PID 1308 wrote to memory of 1584	1308	32108B~1.EXE	99
PID 1584 wrote to memory of 1716	1584	svchost.com	100
PID 1584 wrote to memory of 1716	1584	svchost.com	100
PID 1584 wrote to memory of 1716	1584	svchost.com	100
PID 1716 wrote to memory of 2708	1716	32108B~1.EXE	101
PID 1716 wrote to memory of 2708	1716	32108B~1.EXE	101
PID 1716 wrote to memory of 2708	1716	32108B~1.EXE	101
PID 2708 wrote to memory of 2216	2708	svchost.com	102
PID 2708 wrote to memory of 2216	2708	svchost.com	102
PID 2708 wrote to memory of 2216	2708	svchost.com	102
PID 2216 wrote to memory of 3604	2216	32108B~1.EXE	103
PID 2216 wrote to memory of 3604	2216	32108B~1.EXE	103
PID 2216 wrote to memory of 3604	2216	32108B~1.EXE	103
PID 3604 wrote to memory of 3136	3604	svchost.com	104
PID 3604 wrote to memory of 3136	3604	svchost.com	104
PID 3604 wrote to memory of 3136	3604	svchost.com	104
PID 3136 wrote to memory of 736	3136	32108B~1.EXE	105
PID 3136 wrote to memory of 736	3136	32108B~1.EXE	105
PID 3136 wrote to memory of 736	3136	32108B~1.EXE	105
PID 736 wrote to memory of 4900	736	svchost.com	196
PID 736 wrote to memory of 4900	736	svchost.com	196
PID 736 wrote to memory of 4900	736	svchost.com	196
PID 4900 wrote to memory of 4280	4900	32108B~1.EXE	164

C:\Users\Admin\AppData\Local\Temp\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        66⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        68⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        70⤵
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        71⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        73⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        74⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        75⤵
        Drops file in Windows directory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        76⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        78⤵
        Drops file in Windows directory
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        80⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        81⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        82⤵
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        84⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        87⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        90⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        91⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        92⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        93⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        94⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        95⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        96⤵
        Checks computer location settings
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        97⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        99⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        100⤵
        Modifies registry class
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        101⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        102⤵
        Drops file in Windows directory
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        104⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        105⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        106⤵
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        107⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        109⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        110⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        112⤵
        Checks computer location settings
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        113⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        114⤵
        Modifies registry class
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        115⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        116⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        118⤵
        Checks computer location settings
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        119⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        120⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        121⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        122⤵
        Checks computer location settings
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        123⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        125⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        126⤵
        Drops file in Windows directory
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        127⤵
        Drops file in Windows directory
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        128⤵
        Checks computer location settings
        Modifies registry class
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        129⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        130⤵
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        131⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        132⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        133⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        134⤵
        Checks computer location settings
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        135⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        136⤵
        Modifies registry class
        
        PID:4176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        137⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        138⤵
        
        PID:5024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        139⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        140⤵
        Checks computer location settings
        Modifies registry class
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        141⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        142⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        143⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        144⤵
        Checks computer location settings
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        145⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        146⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        147⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        149⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        150⤵
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        151⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        152⤵
        
        PID:3172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        154⤵
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        156⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        157⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        158⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        159⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        161⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        162⤵
        Modifies registry class
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        163⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        165⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        166⤵
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        168⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        172⤵
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        173⤵
        Drops file in Windows directory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        176⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        177⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        178⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        179⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        180⤵
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        181⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        183⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        185⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        186⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        187⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        188⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        190⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        191⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        192⤵
        Checks computer location settings
        
        PID:516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        194⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        195⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        198⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        199⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        200⤵
        
        PID:4612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        201⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        202⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        203⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        204⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        205⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        206⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        207⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        208⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        209⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        210⤵
        
        PID:3100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        211⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        212⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        213⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        214⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        215⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        217⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        218⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        219⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        220⤵
        Drops file in Windows directory
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        221⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        222⤵
        
        PID:3708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        223⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        224⤵
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        225⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        226⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        227⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        228⤵
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        229⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        230⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        231⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        232⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        233⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        234⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        235⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        236⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        237⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        238⤵
        Drops file in Windows directory
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        239⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        240⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        242⤵
        Modifies registry class
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        243⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        244⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        246⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        247⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        248⤵
        Checks computer location settings
        
        PID:3656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        249⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        251⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        253⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        254⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        255⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        257⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        258⤵
        Checks computer location settings
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        259⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        260⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        261⤵
        Drops file in Windows directory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        262⤵
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        264⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        265⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        266⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        267⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        268⤵
        Checks computer location settings
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        269⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        270⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        271⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        272⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        273⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        275⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        276⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        277⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        280⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        281⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        282⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        283⤵
        Drops file in Windows directory
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        284⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        285⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        286⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        287⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        288⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        289⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        290⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        291⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        292⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        293⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        294⤵
        
        PID:3204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        295⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        296⤵
        Checks computer location settings
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        297⤵
        Drops file in Windows directory
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        298⤵
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        299⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        300⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        302⤵
        Modifies registry class
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        303⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        304⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        305⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        306⤵
        Drops file in Windows directory
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        307⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        308⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        309⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        310⤵
        
        PID:3696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        311⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        312⤵
        Checks computer location settings
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        313⤵
        Drops file in Windows directory
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        314⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        315⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        316⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        317⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        318⤵
        Checks computer location settings
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        319⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        320⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        321⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        322⤵
        
        PID:3100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        323⤵
        Drops file in Windows directory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        325⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        326⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        327⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        328⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        330⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        331⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        332⤵
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        333⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        334⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        335⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        336⤵
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        337⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        338⤵
        Drops file in Windows directory
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        339⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        340⤵
        
        PID:3812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        341⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        342⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        343⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        344⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        345⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        346⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        347⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        348⤵
        Drops file in Windows directory
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        349⤵
        Drops file in Windows directory
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        350⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        351⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        352⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        354⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        355⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        356⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        357⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        358⤵
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        359⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        360⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        361⤵
        Drops file in Windows directory
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        362⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        363⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        364⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE"
        365⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\32108B~1.EXE
        366⤵
        Loads dropped DLL
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
        367⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        368⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe"
        369⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninst.exe
        370⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\RarSFX0\
        371⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Windows\SysWOW64\bpk.exe
        
        C:\Windows\system32\bpk.exe
        369⤵
        Loads dropped DLL
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:8

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv NUH9w+HQgUSTz6rOTm3lwg.0.1
1⤵
PID:812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
3e4c1ecf89d19b8484e386008bb37a25

SHA1
a9a92b63645928e8a92dc395713d3c5b921026b7

SHA256
1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22

SHA512
473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
961c73fd70b543a6a3c816649e5f8fce

SHA1
8dbdc7daeb83110638d192f65f6d014169e0a79b

SHA256
f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103

SHA512
e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ead399a43035cf6544c96d014436fc9a

SHA1
c8ef64abb6c56cbd02e851a98214620459c8b947

SHA256
38b06ee250af6554e6740a1bb7acfb77b99ccdb8081880e01c386afa98668766

SHA512
6fa46a36c17c9496c18843e04d78d5146cdea173a74acacd9b7c63d220c49fa3a1acb65f91fe7214a1ae82ebf63fb5366beecd7f9e0aeee0cbab5d1bd0aa6d14

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
7e7cd5cbbfdecc88b1c7bec686aae697

SHA1
bb06d8ce98e18c7feafe18c8c3e2c87c7cb6d452

SHA256
26849cb31bbe996626b0cb6136a28cf3b4d526416092e1064693625dabc1f85d

SHA512
8e52c960774e5947e8a50865b009f4f0d7cf7e7b397c55b2164778197a3b5f22f011762a9da36d8a19c26227b71a377c97e3c9a394f557eb25f5f55d539a02ff

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\32108bd2710ad6e446e2a9ae7c56bff6_JaffaCakes118.exe

Filesize
324KB

MD5
980c369f6192cb55b89c060c2fb16952

SHA1
a8c17729dadb79cd711c801c63d882e8afc38fd5

SHA256
1fad7c7a1dd18e6094db0b77b91ad286cfc2b8d45f4b353889aad7c94d0382d1

SHA512
43066bed647223822595b862e2c5abdd8f01f5f83af00bda8b211ca1bdfa321a57897e7e111dbf0482902c30a8f6237d52502de24de6ca1fb4ad46ae4c7f7d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
47KB

MD5
d919e46f6854a05fb2300d6c0c7c6ad5

SHA1
a72798d3d2058647f29f401d0e2440ff7cbb8cc1

SHA256
871a4d1b803c6d61eb86088ef2c13df71bca8530bf6456dc17cc33e0dfed871f

SHA512
e47d2bf36ea7953d24230a7a8175e715977510dd4e2f04f21b599061377af6656f28d6fb367244ca4de641efdfeb5b7a746dc912be82dca9b05a87bb688924ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
C:\Windows\SysWOW64\dt\2024-10-10_22-27-46-240647781

Filesize
44KB

MD5
b91e4c733be9f1fe283019b57f11485e

SHA1
2b54aa84ae092d58a14aa9206c4a6746810d62a4

SHA256
c4da32a75de84967a5aecee5ec71081adb222e35347b361ac797ce2be56cbbc5

SHA512
17ba703599515616f4615f45ff2e3ecf7ca3a67df144445f0f42d3e9de08110c8e7ccd7d9cb386c8fb321f4343e1b5c7a0fceda33578a783264f012256debfca

Download Submit
C:\Windows\SysWOW64\dt\2024-10-10_22-27-52-240653843

Filesize
43KB

MD5
3523b6e6cce5b5b7ccf6aa3279ef0547

SHA1
b21274a30ea02ff089325e6261cbb8eed32b69ae

SHA256
8b3a1649500c8b87fbd80d6d6a70243a6e7a6fe6989fdc50663639ab744251a1

SHA512
934b76d2acbaa27033d9edefadeaab127f07d3e19de3ec85ce2e961578fa850fa77e82d46186a11c57a82d6908ae3c46e77ef3628f4e9263bbdea522a2f80859

Download Submit
C:\Windows\SysWOW64\dt\2024-10-10_22-27-58-240659828

Filesize
40KB

MD5
6b1938288bba9a81efae86fc3e8a274a

SHA1
48abfb4bb6c378098f867f734f7e39945c348ceb

SHA256
8839138f748937b457b4ce830bfede7ac71cef9289e6d2bb2c9d11544f964a59

SHA512
6a1c706b4318ba4b47e1ec03b5df599baddcdfadc8e5db8344e68f1a4362e79108cfa2de64b98d897f2411455f280ca01e9469ace3f2f23bf3b8ad190b948bf8

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-46-240647781

Filesize
10KB

MD5
2b061d05c0b46c1751c3a08eecc9886a

SHA1
a1c5013508c55a2502d2459dda8f1f903b640d28

SHA256
59e323731f0206c32c19356a26781fe035925c4a96cb0e4cbbd9fd595f43ba55

SHA512
4435396e738b558f33941822a8cac9f342c9f9ba9469fbc5b9f03e4ec290127bf3200e3c8089cf51d35fa47047fc68b13e86c4b34cfd59259a2a03002900a0e6

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-27-52-240653843

Filesize
10KB

MD5
d5ef5c1f1851ca926559dc1d20cac260

SHA1
255a5189b5d1fdaff1748225b754570f501a41e9

SHA256
593a5bd0537150ece0285a2122872c0692e3cd9085865ea9e87735fc5c03d63a

SHA512
5465289ae3c66297fd77d197c200701fb3e6a72d7dce74177e5c9e12eb53311b5b6306eadcc2fd45db642748f06dd341f7a5bef4b510cfecf622da1c02cfdcaf

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-28-04-240665921

Filesize
9KB

MD5
97c0a8279f1914d2b223b3943a5d0f85

SHA1
81ab338b6ade80aecf7dd85c5f2e8e355bea2744

SHA256
1aac257eb3a2700d52cb0fb4352620f8196459edd845fa05389167a00c8a6930

SHA512
58c25a823475bfab222d429a8d3f14be2f6f611c03fed568049d9d1b8b41e3f6cbb9b49898431fa83de398b62561e1e12ef6155abed2e0eec6f1336962ad2255

Download Submit
C:\Windows\SysWOW64\dt\th_2024-10-10_22-29-04-240726234

Filesize
9KB

MD5
7dae39c90418cd299bf77b166a17ac90

SHA1
aa60ef0ef5bbd980a74d193090ac788b198c13a1

SHA256
ad237c3ccd0d47ca6806c38a0c5af9f268ecadf88ec9e989743bb16da548d603

SHA512
0eb3898fde214648eabd08767c99990d67869a64653bb89ac33a01325130327984eeb508b43c5700ff236729231db8a9f9da3dddaa5b2e67acff67fa92c8aaa7

Download Submit
C:\Windows\SysWOW64\temporary.bmp

Filesize
2.6MB

MD5
1fa13c86713906c8356802c9c75e043b

SHA1
24d70d767c419de83c765c9070d95e9858bf3838

SHA256
331876e39395c5b5394794630decd74c25fe1a36f19eddeb96d7db578bbb32ae

SHA512
ed23e1bba00903a0fab36b743d87534be2889ce3e5deffa75e6961ab498a003c53bf94e745f3663ce78ca1b5c786fdc543fa24b4f98d42ba2c57471288b85f95

Download Submit
C:\Windows\SysWOW64\temporary.bmp

Filesize
2.6MB

MD5
08155890e3c9941925841b4328015c0f

SHA1
2a24ca68a1391a1cd0398b40db2b4019a5f2f158

SHA256
8114f5a00d7ad35d5d9186a7cead1cd7decbc6744bf268e46bf68618e267fd9e

SHA512
afa9970ef24d1cbd4e346683b660f17ef6ad2f680c1dfd86ca600eb187e5e04a5e7bfa15bdc977952f1fc4b472722c3ddebb372206b716996eb128863d3db79a

Download Submit
C:\Windows\SysWOW64\th_temp.bmp

Filesize
341KB

MD5
49501e154288c3a0f76af68225867067

SHA1
f7f11dcd8aab9c0c135f4164feab8d74151c2904

SHA256
f07c7cc8bf384dea2bc9648b96818cfe5e1f166a68fa9e6f728b3a5cd39598f2

SHA512
5a26b2e06a7b4b1713922ee959a88c3911f323f6c2d2c2e098326a97f0cda63e2842c2234a0fed6b1faab204924eec904711744c7cceaf5bf6c0c6e2f7531ad0

Download Submit
C:\Windows\SysWOW64\th_temp.bmp

Filesize
341KB

MD5
e813c976826a796af5e114f183f7ee41

SHA1
057fb85fd3c261e99f9cd4c4f4c22a192cebbbb9

SHA256
d96af70b5dfa96f5762946f1c59944a16582b64a0e7473926cb3474f55fe786a

SHA512
8b17a02fc3edd216e7c2b3344ee128ec97e32abdfea308a0892476d3ef8849dd1ad5dffd0bd368aae82fc4b4cfc0621abc93e63b8131553899b5eff269d4e749

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
a6d71c62f8664bdc23654dc629587f1d

SHA1
920da2e650dbff477bef30282e75081f10d82fe1

SHA256
84af23542cf7b23bf5db86e9c94187a2ac1af37ccbe6ccf0d2261e81ab01849f

SHA512
66dd1652fe1a76d2d8238134259951f2d1789990f18b635cfd6ede8ec5e7f9dc3fb133b13c328ebc10336e80468f6be74779956eb0337c68b4414f6d57a835ab

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ae0959989263c327ff6127b9fd5615b0

SHA1
ec1c37a7696545af2a76e7d03a16a089e6b8a406

SHA256
820f2ceecbdd5d8f8ef91dfef61fb7e7797219da2d820234a866894362da6c65

SHA512
d43c0d7be2001384fe1a7dbf997cdda04954cb7449101015d67d095b2dbe4323c5b9f84db0c2e16e1cc6fdbd25346eb95b72985a6b501c85ba7adb4206218538

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e44fce16321f32173722d37406574f72

SHA1
c1e56310f1fc5cececd61e5b627194300bc73c5d

SHA256
4058d40d93864177407d04733d58f3a69edb6c5617f9f6ae777e92f3da7b9676

SHA512
f5c5241c829bfe8c6e06dcc7ad83405d1566cdf47c21b599e3ee946d800735bad7c18371a832e0fb5acf399443dda4fa755fcf39e056a527ebfe652add7b4c67

Download Submit
memory/232-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/436-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/436-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/736-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1016-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1036-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1336-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1560-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1584-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1716-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2280-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2620-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2620-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3076-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3136-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3156-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3204-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3368-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3368-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3440-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3532-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3604-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3744-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4084-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4280-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4460-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4516-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4652-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4780-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4900-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4916-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5048-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5080-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads