e43788958f74d6a0e45d52efa141845eb662e38c9d1ac5c19c923177a3bc18e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
Size

27KB
MD5

4614e093aba7c7c7259c143ca32e9855
SHA1

62eee01c2ee85cb3b72c204b5f5e7588000fd4da
SHA256

e43788958f74d6a0e45d52efa141845eb662e38c9d1ac5c19c923177a3bc18e5
SHA512

edccd38aa1910b167b0b8c8f8325a230b3841ec8b4bb3ec9567fc588f03676ffd30d5d1c0af4ca8d2489623a236edf23d1740ae03ffeb5772b70ad500a24a220
SSDEEP

768:lV3/O9CLQiHRbCCxE99Koc6sv2Parjz4VM9VOli:llG9CLp51m9K9eirjfqs

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4924-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/4924-1-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/2008-47-0x0000000000400000-0x0000000000417000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.msc

Suspicious behavior: RenamesItself 64 IoCs

pid	Process
4924	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
4924	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
756	svchost.msc
756	svchost.msc
1132	svchost.msc
1132	svchost.msc
2172	svchost.msc
2172	svchost.msc
532	svchost.msc
532	svchost.msc
1712	svchost.msc
1712	svchost.msc
2432	svchost.msc
2432	svchost.msc
960	svchost.msc
960	svchost.msc
3172	svchost.msc
3172	svchost.msc
1032	svchost.msc
1032	svchost.msc
1144	svchost.msc
1144	svchost.msc
920	svchost.msc
920	svchost.msc
4140	svchost.msc
4140	svchost.msc
3032	svchost.msc
3032	svchost.msc
1980	svchost.msc
1980	svchost.msc
2216	svchost.msc
2216	svchost.msc
884	svchost.msc
884	svchost.msc
4944	svchost.msc
4944	svchost.msc
2600	svchost.msc
2600	svchost.msc
3448	svchost.msc
3448	svchost.msc
1020	svchost.msc
1020	svchost.msc
3284	svchost.msc
3284	svchost.msc
1280	svchost.msc
1280	svchost.msc
964	svchost.msc
964	svchost.msc
1576	svchost.msc
1576	svchost.msc
3768	svchost.msc
3768	svchost.msc
1724	svchost.msc
1724	svchost.msc
4032	svchost.msc
4032	svchost.msc
216	svchost.msc
216	svchost.msc
3204	svchost.msc
3204	svchost.msc
4456	svchost.msc
4456	svchost.msc
4396	svchost.msc
4396	svchost.msc

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 756	4924	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe	87
PID 4924 wrote to memory of 756	4924	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe	87
PID 4924 wrote to memory of 756	4924	4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe	87
PID 756 wrote to memory of 1132	756	svchost.msc	88
PID 756 wrote to memory of 1132	756	svchost.msc	88
PID 756 wrote to memory of 1132	756	svchost.msc	88
PID 1132 wrote to memory of 2172	1132	svchost.msc	89
PID 1132 wrote to memory of 2172	1132	svchost.msc	89
PID 1132 wrote to memory of 2172	1132	svchost.msc	89
PID 2172 wrote to memory of 532	2172	svchost.msc	92
PID 2172 wrote to memory of 532	2172	svchost.msc	92
PID 2172 wrote to memory of 532	2172	svchost.msc	92
PID 532 wrote to memory of 1712	532	svchost.msc	94
PID 532 wrote to memory of 1712	532	svchost.msc	94
PID 532 wrote to memory of 1712	532	svchost.msc	94
PID 1712 wrote to memory of 2432	1712	svchost.msc	98
PID 1712 wrote to memory of 2432	1712	svchost.msc	98
PID 1712 wrote to memory of 2432	1712	svchost.msc	98
PID 2432 wrote to memory of 960	2432	svchost.msc	99
PID 2432 wrote to memory of 960	2432	svchost.msc	99
PID 2432 wrote to memory of 960	2432	svchost.msc	99
PID 960 wrote to memory of 3172	960	svchost.msc	100
PID 960 wrote to memory of 3172	960	svchost.msc	100
PID 960 wrote to memory of 3172	960	svchost.msc	100
PID 3172 wrote to memory of 1032	3172	svchost.msc	101
PID 3172 wrote to memory of 1032	3172	svchost.msc	101
PID 3172 wrote to memory of 1032	3172	svchost.msc	101
PID 1032 wrote to memory of 1144	1032	svchost.msc	104
PID 1032 wrote to memory of 1144	1032	svchost.msc	104
PID 1032 wrote to memory of 1144	1032	svchost.msc	104
PID 1144 wrote to memory of 920	1144	svchost.msc	105
PID 1144 wrote to memory of 920	1144	svchost.msc	105
PID 1144 wrote to memory of 920	1144	svchost.msc	105
PID 920 wrote to memory of 4140	920	svchost.msc	106
PID 920 wrote to memory of 4140	920	svchost.msc	106
PID 920 wrote to memory of 4140	920	svchost.msc	106
PID 4140 wrote to memory of 3032	4140	svchost.msc	107
PID 4140 wrote to memory of 3032	4140	svchost.msc	107
PID 4140 wrote to memory of 3032	4140	svchost.msc	107
PID 3032 wrote to memory of 1980	3032	svchost.msc	110
PID 3032 wrote to memory of 1980	3032	svchost.msc	110
PID 3032 wrote to memory of 1980	3032	svchost.msc	110
PID 1980 wrote to memory of 2216	1980	svchost.msc	111
PID 1980 wrote to memory of 2216	1980	svchost.msc	111
PID 1980 wrote to memory of 2216	1980	svchost.msc	111
PID 2216 wrote to memory of 884	2216	svchost.msc	112
PID 2216 wrote to memory of 884	2216	svchost.msc	112
PID 2216 wrote to memory of 884	2216	svchost.msc	112
PID 884 wrote to memory of 4944	884	svchost.msc	113
PID 884 wrote to memory of 4944	884	svchost.msc	113
PID 884 wrote to memory of 4944	884	svchost.msc	113
PID 4944 wrote to memory of 2600	4944	svchost.msc	116
PID 4944 wrote to memory of 2600	4944	svchost.msc	116
PID 4944 wrote to memory of 2600	4944	svchost.msc	116
PID 2600 wrote to memory of 3448	2600	svchost.msc	117
PID 2600 wrote to memory of 3448	2600	svchost.msc	117
PID 2600 wrote to memory of 3448	2600	svchost.msc	117
PID 3448 wrote to memory of 1020	3448	svchost.msc	118
PID 3448 wrote to memory of 1020	3448	svchost.msc	118
PID 3448 wrote to memory of 1020	3448	svchost.msc	118
PID 1020 wrote to memory of 3284	1020	svchost.msc	119
PID 1020 wrote to memory of 3284	1020	svchost.msc	119
PID 1020 wrote to memory of 3284	1020	svchost.msc	119
PID 3284 wrote to memory of 1280	3284	svchost.msc	120

C:\Users\Admin\AppData\Local\Temp\4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4924
- \??\c:\windows\SysWOW64\svchost.msc
  c:\windows\system32\svchost.msc C:\Users\Admin\AppData\Local\Temp\4614e093aba7c7c7259c143ca32e9855_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:756
- - \??\c:\windows\SysWOW64\svchost.msc
    c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
    3⤵
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - \??\c:\windows\SysWOW64\svchost.msc
      c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
      4⤵
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:2172
    - - \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        5⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:532
      - \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        7⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        9⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        13⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        14⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        15⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        16⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        17⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        18⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        19⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        20⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        21⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        22⤵
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        23⤵
        Suspicious behavior: RenamesItself
        
        PID:1280
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        24⤵
        Suspicious behavior: RenamesItself
        
        PID:964
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        25⤵
        Suspicious behavior: RenamesItself
        
        PID:1576
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        26⤵
        Suspicious behavior: RenamesItself
        
        PID:3768
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        27⤵
        Suspicious behavior: RenamesItself
        
        PID:1724
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        28⤵
        Suspicious behavior: RenamesItself
        
        PID:4032
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        30⤵
        Suspicious behavior: RenamesItself
        
        PID:3204
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        31⤵
        Suspicious behavior: RenamesItself
        
        PID:4456
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        32⤵
        Suspicious behavior: RenamesItself
        
        PID:4396
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        33⤵
        
        PID:2756
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        34⤵
        
        PID:1752
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        35⤵
        
        PID:4484
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        37⤵
        
        PID:1632
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        38⤵
        
        PID:4924
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        42⤵
        
        PID:3292
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        43⤵
        
        PID:2104
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        44⤵
        
        PID:2828
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        47⤵
        
        PID:2008
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        50⤵
        
        PID:3908
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        51⤵
        
        PID:3340
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        52⤵
        
        PID:2876
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        53⤵
        
        PID:1124
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        55⤵
        
        PID:4660
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        61⤵
        
        PID:3780
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        62⤵
        
        PID:3768
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        63⤵
        
        PID:1724
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        65⤵
        
        PID:216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        67⤵
        
        PID:4348
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        68⤵
        
        PID:4132
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        69⤵
        
        PID:2756
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        72⤵
        
        PID:1456
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        73⤵
        
        PID:2888
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        74⤵
        
        PID:2868
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        75⤵
        
        PID:4116
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        76⤵
        
        PID:2508
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        77⤵
        
        PID:2340
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        78⤵
        
        PID:1640
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        79⤵
        
        PID:4504
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        82⤵
        
        PID:228
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        83⤵
        
        PID:2636
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        84⤵
        
        PID:2428
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        85⤵
        
        PID:1840
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        86⤵
        
        PID:1636
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        88⤵
        
        PID:2096
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        89⤵
        
        PID:4452
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        92⤵
        
        PID:2400
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        93⤵
        
        PID:3444
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        94⤵
        
        PID:3360
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        95⤵
        
        PID:4124
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        96⤵
        
        PID:4140
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        98⤵
        
        PID:5048
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        100⤵
        
        PID:3284
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        101⤵
        
        PID:3640
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        103⤵
        
        PID:1932
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        104⤵
        
        PID:4184
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        105⤵
        
        PID:2300
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        106⤵
        
        PID:2308
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        108⤵
        
        PID:5060
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        109⤵
        
        PID:4736
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        110⤵
        
        PID:216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        111⤵
        
        PID:3204
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        113⤵
        
        PID:4488
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        114⤵
        
        PID:428
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        116⤵
        
        PID:1528
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        117⤵
        
        PID:792
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        118⤵
        
        PID:2888
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        119⤵
        
        PID:2868
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        120⤵
        
        PID:4904
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        121⤵
        
        PID:1664
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        122⤵
        
        PID:2340
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        123⤵
        
        PID:2408
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        124⤵
        
        PID:3644
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        125⤵
        
        PID:4916
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        129⤵
        
        PID:544
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        132⤵
        
        PID:3788
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        136⤵
        
        PID:404
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        137⤵
        
        PID:2444
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        138⤵
        
        PID:4412
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        139⤵
        
        PID:3860
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        140⤵
        
        PID:4812
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        142⤵
        
        PID:4736
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        144⤵
        
        PID:4188
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        147⤵
        
        PID:4100
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        148⤵
        
        PID:1068
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        149⤵
        
        PID:760
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        150⤵
        
        PID:4768
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        153⤵
        
        PID:3916
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        154⤵
        
        PID:2708
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        155⤵
        
        PID:1664
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        156⤵
        
        PID:2340
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        158⤵
        
        PID:728
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        159⤵
        
        PID:4916
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        160⤵
        
        PID:2192
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        161⤵
        
        PID:2932
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        165⤵
        
        PID:2904
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        167⤵
        
        PID:2968
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        168⤵
        
        PID:1636
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        169⤵
        
        PID:4056
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        170⤵
        
        PID:3352
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        171⤵
        
        PID:1364
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        173⤵
        
        PID:3848
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        174⤵
        
        PID:3572
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        176⤵
        
        PID:1304
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        177⤵
        
        PID:3792
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        181⤵
        
        PID:3448
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        182⤵
        
        PID:2876
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        184⤵
        
        PID:1812
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        185⤵
        
        PID:1124
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        187⤵
        
        PID:5060
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        188⤵
        
        PID:1740
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        189⤵
        
        PID:4044
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        190⤵
        
        PID:216
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        191⤵
        
        PID:3768
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        192⤵
        
        PID:4248
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        193⤵
        
        PID:4348
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        195⤵
        
        PID:1896
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        197⤵
        
        PID:2220
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        198⤵
        
        PID:4924
        
        \??\c:\windows\SysWOW64\svchost.msc
        
        c:\windows\system32\svchost.msc c:\windows\SysWOW64\svchost.msc
        199⤵
        
        PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4924-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4924-1-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download