neshta | 961fcc4c0b3ca9d9f553d39227ca0629cc01f3eab3bf681c1644f9134f184727

Analysis

max time kernel
95s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
Size

297KB
MD5

3211fb257bb634726e4897f65477708b
SHA1

5cc6d72aaa4b986e3c3447b4d32468a4353902aa
SHA256

961fcc4c0b3ca9d9f553d39227ca0629cc01f3eab3bf681c1644f9134f184727
SHA512

ae3f06d9e430c8e349883eadd47568b70c4cc20ca84aa0e98c249ebf4e3160766ab59ea7f659b761de39498a802f4954c6e621805ff48df98a3df29361b0982e
SSDEEP

6144:PuivkfYlPm3zKJbTP+W0aHwpALVWrRmyEu:Bg92TWW0WwO5WU

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3211FB~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
1900	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
796	svchost.com
4204	3211FB~1.EXE
2296	svchost.com
3024	3211FB~1.EXE
4984	svchost.com
232	3211FB~1.EXE
5052	svchost.com
3584	3211FB~1.EXE
4488	svchost.com
4380	3211FB~1.EXE
5112	svchost.com
3588	3211FB~1.EXE
1464	svchost.com
3920	3211FB~1.EXE
1756	svchost.com
1616	3211FB~1.EXE
4288	svchost.com
4956	3211FB~1.EXE
2244	svchost.com
3044	3211FB~1.EXE
2864	svchost.com
1928	3211FB~1.EXE
1472	svchost.com
2728	3211FB~1.EXE
4648	svchost.com
4024	3211FB~1.EXE
3284	svchost.com
2196	3211FB~1.EXE
1328	svchost.com
436	3211FB~1.EXE
4988	svchost.com
4560	3211FB~1.EXE
1196	svchost.com
2216	3211FB~1.EXE
3440	svchost.com
1292	3211FB~1.EXE
1188	svchost.com
3456	3211FB~1.EXE
1528	svchost.com
1756	3211FB~1.EXE
4528	svchost.com
2072	3211FB~1.EXE
4720	svchost.com
4796	3211FB~1.EXE
2948	svchost.com
3836	3211FB~1.EXE
3064	svchost.com
3648	3211FB~1.EXE
3444	svchost.com
700	3211FB~1.EXE
1876	svchost.com
3548	3211FB~1.EXE
3772	svchost.com
4596	3211FB~1.EXE
2468	svchost.com
556	3211FB~1.EXE
4400	svchost.com
1904	3211FB~1.EXE
4072	svchost.com
1348	3211FB~1.EXE
4024	svchost.com
1324	3211FB~1.EXE
1160	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3211FB~1.EXE
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	3211FB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3211FB~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	3211FB~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1900	2868	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	84
PID 2868 wrote to memory of 1900	2868	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	84
PID 2868 wrote to memory of 1900	2868	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	84
PID 1900 wrote to memory of 796	1900	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	86
PID 1900 wrote to memory of 796	1900	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	86
PID 1900 wrote to memory of 796	1900	3211fb257bb634726e4897f65477708b_JaffaCakes118.exe	86
PID 796 wrote to memory of 4204	796	svchost.com	87
PID 796 wrote to memory of 4204	796	svchost.com	87
PID 796 wrote to memory of 4204	796	svchost.com	87
PID 4204 wrote to memory of 2296	4204	3211FB~1.EXE	88
PID 4204 wrote to memory of 2296	4204	3211FB~1.EXE	88
PID 4204 wrote to memory of 2296	4204	3211FB~1.EXE	88
PID 2296 wrote to memory of 3024	2296	svchost.com	89
PID 2296 wrote to memory of 3024	2296	svchost.com	89
PID 2296 wrote to memory of 3024	2296	svchost.com	89
PID 3024 wrote to memory of 4984	3024	3211FB~1.EXE	91
PID 3024 wrote to memory of 4984	3024	3211FB~1.EXE	91
PID 3024 wrote to memory of 4984	3024	3211FB~1.EXE	91
PID 4984 wrote to memory of 232	4984	svchost.com	92
PID 4984 wrote to memory of 232	4984	svchost.com	92
PID 4984 wrote to memory of 232	4984	svchost.com	92
PID 232 wrote to memory of 5052	232	3211FB~1.EXE	93
PID 232 wrote to memory of 5052	232	3211FB~1.EXE	93
PID 232 wrote to memory of 5052	232	3211FB~1.EXE	93
PID 5052 wrote to memory of 3584	5052	svchost.com	94
PID 5052 wrote to memory of 3584	5052	svchost.com	94
PID 5052 wrote to memory of 3584	5052	svchost.com	94
PID 3584 wrote to memory of 4488	3584	3211FB~1.EXE	95
PID 3584 wrote to memory of 4488	3584	3211FB~1.EXE	95
PID 3584 wrote to memory of 4488	3584	3211FB~1.EXE	95
PID 4488 wrote to memory of 4380	4488	svchost.com	96
PID 4488 wrote to memory of 4380	4488	svchost.com	96
PID 4488 wrote to memory of 4380	4488	svchost.com	96
PID 4380 wrote to memory of 5112	4380	3211FB~1.EXE	97
PID 4380 wrote to memory of 5112	4380	3211FB~1.EXE	97
PID 4380 wrote to memory of 5112	4380	3211FB~1.EXE	97
PID 5112 wrote to memory of 3588	5112	svchost.com	98
PID 5112 wrote to memory of 3588	5112	svchost.com	98
PID 5112 wrote to memory of 3588	5112	svchost.com	98
PID 3588 wrote to memory of 1464	3588	3211FB~1.EXE	99
PID 3588 wrote to memory of 1464	3588	3211FB~1.EXE	99
PID 3588 wrote to memory of 1464	3588	3211FB~1.EXE	99
PID 1464 wrote to memory of 3920	1464	svchost.com	100
PID 1464 wrote to memory of 3920	1464	svchost.com	100
PID 1464 wrote to memory of 3920	1464	svchost.com	100
PID 3920 wrote to memory of 1756	3920	3211FB~1.EXE	126
PID 3920 wrote to memory of 1756	3920	3211FB~1.EXE	126
PID 3920 wrote to memory of 1756	3920	3211FB~1.EXE	126
PID 1756 wrote to memory of 1616	1756	svchost.com	102
PID 1756 wrote to memory of 1616	1756	svchost.com	102
PID 1756 wrote to memory of 1616	1756	svchost.com	102
PID 1616 wrote to memory of 4288	1616	3211FB~1.EXE	103
PID 1616 wrote to memory of 4288	1616	3211FB~1.EXE	103
PID 1616 wrote to memory of 4288	1616	3211FB~1.EXE	103
PID 4288 wrote to memory of 4956	4288	svchost.com	104
PID 4288 wrote to memory of 4956	4288	svchost.com	104
PID 4288 wrote to memory of 4956	4288	svchost.com	104
PID 4956 wrote to memory of 2244	4956	3211FB~1.EXE	105
PID 4956 wrote to memory of 2244	4956	3211FB~1.EXE	105
PID 4956 wrote to memory of 2244	4956	3211FB~1.EXE	105
PID 2244 wrote to memory of 3044	2244	svchost.com	106
PID 2244 wrote to memory of 3044	2244	svchost.com	106
PID 2244 wrote to memory of 3044	2244	svchost.com	106
PID 3044 wrote to memory of 2864	3044	3211FB~1.EXE	107

C:\Users\Admin\AppData\Local\Temp\3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3211fb257bb634726e4897f65477708b_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\3582-490\3211fb257bb634726e4897f65477708b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\3211fb257bb634726e4897f65477708b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        66⤵
        Drops file in Windows directory
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        67⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        68⤵
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        69⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        70⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        71⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        73⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        74⤵
        Modifies registry class
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        75⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        76⤵
        Checks computer location settings
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        77⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        78⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        79⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        80⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        81⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        82⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        83⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        84⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        86⤵
        Modifies registry class
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        87⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        88⤵
        Checks computer location settings
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        89⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        90⤵
        Modifies registry class
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        91⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        92⤵
        Modifies registry class
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        93⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        94⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        95⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        97⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        98⤵
        Checks computer location settings
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        99⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        100⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        101⤵
        Drops file in Windows directory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        102⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        104⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        106⤵
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        107⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        111⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        114⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        115⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        117⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        118⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        120⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        121⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        122⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        123⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        124⤵
        Drops file in Windows directory
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        125⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        126⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        127⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        128⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        129⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        130⤵
        Drops file in Windows directory
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        131⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        132⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        133⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        134⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        135⤵
        Drops file in Windows directory
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        136⤵
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        137⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        138⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        139⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        140⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        142⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        143⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        144⤵
        Modifies registry class
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        145⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        146⤵
        Drops file in Windows directory
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        147⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        148⤵
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        149⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        150⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        152⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        153⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        154⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        155⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        156⤵
        Checks computer location settings
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        157⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        158⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        159⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        160⤵
        Checks computer location settings
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        161⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        162⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        163⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        164⤵
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        165⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        166⤵
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        168⤵
        
        PID:644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        169⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        170⤵
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        172⤵
        Drops file in Windows directory
        
        PID:4332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        173⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        174⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        175⤵
        Drops file in Windows directory
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        176⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        177⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        178⤵
        
        PID:3872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        179⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        180⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        181⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        182⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        186⤵
        Drops file in Windows directory
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        187⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        188⤵
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        190⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        191⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        192⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        194⤵
        Checks computer location settings
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        195⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        196⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        197⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        198⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        199⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        200⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        202⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        204⤵
        
        PID:3416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        205⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        206⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        207⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        208⤵
        Drops file in Windows directory
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        209⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        210⤵
        Checks computer location settings
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        211⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        212⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        213⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        214⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        216⤵
        
        PID:644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        217⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        218⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        219⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        220⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        221⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        222⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        223⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        224⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        227⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        228⤵
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        229⤵
        Drops file in Windows directory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        230⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        231⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        232⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        234⤵
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        235⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        236⤵
        Checks computer location settings
        
        PID:5004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        237⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        238⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        240⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        241⤵
        Drops file in Windows directory
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        242⤵
        Drops file in Windows directory
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        244⤵
        Drops file in Windows directory
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        245⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        246⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        248⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        249⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        250⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        251⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        252⤵
        Checks computer location settings
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        253⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        254⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        255⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        256⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        257⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        258⤵
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        259⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        260⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        261⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        262⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        264⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        265⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        266⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        268⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        269⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        270⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        271⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        273⤵
        Drops file in Windows directory
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        274⤵
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        275⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        276⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        277⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        278⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        279⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        280⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        281⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        282⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        283⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        285⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        286⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        287⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        288⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        289⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        290⤵
        Modifies registry class
        
        PID:868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        291⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        292⤵
        Drops file in Windows directory
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        293⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        294⤵
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        295⤵
        Drops file in Windows directory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        296⤵
        Modifies registry class
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        297⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        298⤵
        Checks computer location settings
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        299⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        300⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        301⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        302⤵
        
        PID:1328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        303⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        304⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        306⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        308⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        309⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        310⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        311⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        313⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        314⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        315⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        316⤵
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        318⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        319⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        320⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        321⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        322⤵
        Drops file in Windows directory
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        323⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        326⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        327⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        328⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        329⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        330⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        331⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        332⤵
        Modifies registry class
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        334⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        335⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        338⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        340⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        341⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        342⤵
        
        PID:4720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        344⤵
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        345⤵
        Drops file in Windows directory
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        346⤵
        Modifies registry class
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        348⤵
        Checks computer location settings
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        350⤵
        Checks computer location settings
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        351⤵
        Drops file in Windows directory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        352⤵
        Modifies registry class
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        354⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        355⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        356⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        357⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        358⤵
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        360⤵
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        361⤵
        Drops file in Windows directory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        362⤵
        Checks computer location settings
        Modifies registry class
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        363⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        364⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        365⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        366⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        367⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        368⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        369⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        370⤵
        Modifies registry class
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE"
        371⤵
        Drops file in Windows directory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\3211FB~1.EXE
        372⤵
        
        PID:1776

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3776

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
224KB

MD5
5d233356dfa22801c3e640617a776426

SHA1
fdd7f38ddc4f86f810fe1b2da34dbd08c57a3b7d

SHA256
e3cb39b6e8349161392be4d69a24739cc8680a4f4684232c0aefaa5ff2b35cb2

SHA512
b8d293d65eb7e91f9d1cedc243503486354fd0ab4d7522a4fd66c67b7624121f9d9d4a1c5d62e8748b8d149afb6c32c3ed5a1f2d8d5a2d6e01cf652cabea8b01

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ead399a43035cf6544c96d014436fc9a

SHA1
c8ef64abb6c56cbd02e851a98214620459c8b947

SHA256
38b06ee250af6554e6740a1bb7acfb77b99ccdb8081880e01c386afa98668766

SHA512
6fa46a36c17c9496c18843e04d78d5146cdea173a74acacd9b7c63d220c49fa3a1acb65f91fe7214a1ae82ebf63fb5366beecd7f9e0aeee0cbab5d1bd0aa6d14

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
8d0921a30f1cb052f128c5bd36d8c2a1

SHA1
a9a4414169816b948e38042949be75f003c97a70

SHA256
93aa55a533cbbfefd76c0acfc170928e5b658d677365a23b98317fc33804ae90

SHA512
206107a8d82709e075dbda67d9330e31aefb748af7a64b7145bfe5ca54a51fb605e2ed050cb951d2c0e95d04768a452d70bf90cbfbdb58bc2647bfc722c8ce66

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
619314ef3e2e5abde1bb19dbce363220

SHA1
5fc9e9c74d8fdc9d185f524dc1364500883c4eef

SHA256
763c48c14695500dd1f8b1b88f7be84a9fe95d9a7bb63211f74cbe210e0a58af

SHA512
5389516629a884b109950254398d1453fd573ce6f73ff3479322c1361ec990b53cd0cec2fbe366e7ab0ba704bfb1f5fd58dc7ec3d81254c9256973f4983ec360

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3211fb257bb634726e4897f65477708b_JaffaCakes118.exe

Filesize
256KB

MD5
2cbbe2521e3fbdf6013f4659520eae77

SHA1
d6c9386ff92d25b1ed84596ef174c86e99466432

SHA256
5b029896854ca2dae347050472888874743351d6eb8174e19a1d02674291d011

SHA512
c1b35a398a9ae9a8b68a15b55ad2ea8003a5009257a07f40ac0dd1a797e3dbf7458c8309696ec89a5e59ad6a29665ef4a644aa3be84eecb49cd1f66a81fdcfc9

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
1d8719bbc57b692190a96370cdeda1ea

SHA1
db59f74ea313a4458a332eca799a25001afbf456

SHA256
982281455a64d36fe5453170fd48aac6c0cdb596b49a31aec8fcd03185e4a5e4

SHA512
85b79b2195ca20b569691cc2061e41d2c387862eb43b04f698bd0953bd7f4a767f49c23d7ebd9910d46782ccfaf56e536c19e1e0b5ab60183be901f9d09f0e33

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
1983c166b482686f4352b85e89ff1d97

SHA1
8fa56131a52093fc79cba62064a1d980127eb165

SHA256
8697667bf25d8cfbede337a3dc3d45d8d706553e9457af84fcf86ab84dcff9c4

SHA512
934540355fa59af972749da7e2ebc082102c4afbf3f9b87e40bfef7c0681cd4e6b5adebf735f4d3860672f548a806c441a8ecfa29c177ca5095f357c83c87625

Download Submit
memory/232-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/436-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/556-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/700-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/796-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1160-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1292-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1324-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1328-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1348-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1464-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1616-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1904-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2244-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2296-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-166-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3024-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3284-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3440-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3456-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3548-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3584-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3648-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3772-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3836-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4024-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4024-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4204-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4288-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4380-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4400-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4488-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4560-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4596-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4720-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4796-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5052-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads