neshta | e65db561681f6da6967d62a399aaa46db04c89ea12a234f2f33685d44530186d

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
Size

242KB
MD5

4668f88c02b5fbf98316a17eccf6a220
SHA1

6b326ac6b389fc09939db609ff8e2c525a7916bf
SHA256

e65db561681f6da6967d62a399aaa46db04c89ea12a234f2f33685d44530186d
SHA512

a2434b9a975ef429e33e3ce6ae97184eae414c89e2fc64341d2c9c14c23b06eb471ac593103a488827b0fa4694340d2dfaaef5c5ce0c6a48d25b7864a6ede7c8
SSDEEP

6144:byH7xOc6H5c6HcT66vlmrIzZHfsvwLQUePSeqTFyH7xOc6H5c6HcT66vlmr+UePH:bazzZ/svwzePSRa+ePSK

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

svchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE

pid	Process
2740	svchost.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2548	svchost.exe
2732	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2712	svchost.exe
2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2360	svchost.com
828	4668F8~1.EXE
2896	svchost.com
2924	4668F8~1.EXE
3048	svchost.com
2800	4668F8~1.EXE
328	svchost.com
2792	4668F8~1.EXE
1780	svchost.com
2816	4668F8~1.EXE
992	svchost.com
1496	4668F8~1.EXE
2520	svchost.com
2192	4668F8~1.EXE
1156	svchost.com
2488	4668F8~1.EXE
1148	svchost.com
2044	4668F8~1.EXE
1772	svchost.com
1444	4668F8~1.EXE
2232	svchost.com
276	4668F8~1.EXE
2776	svchost.com
2832	4668F8~1.EXE
1512	svchost.com
2960	4668F8~1.EXE
2564	svchost.com
2568	4668F8~1.EXE
2596	svchost.com
2616	4668F8~1.EXE
2664	svchost.com
2036	4668F8~1.EXE
1924	svchost.com
2876	4668F8~1.EXE
2916	svchost.com
3016	4668F8~1.EXE
2928	svchost.com
1280	4668F8~1.EXE
1644	svchost.com
1220	4668F8~1.EXE
2528	svchost.com
924	4668F8~1.EXE
2292	svchost.com
1876	4668F8~1.EXE
2884	svchost.com
1436	4668F8~1.EXE
1892	svchost.com
2976	4668F8~1.EXE
2796	svchost.com
1300	4668F8~1.EXE
2304	svchost.com
2424	4668F8~1.EXE
748	svchost.com
1696	4668F8~1.EXE
2348	svchost.com
1832	4668F8~1.EXE
1776	svchost.com
892	4668F8~1.EXE

Loads dropped DLL 64 IoCs

Processes:

svchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	Process
2740	svchost.exe
2740	svchost.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2712	svchost.exe
2712	svchost.exe
2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2360	svchost.com
2360	svchost.com
2896	svchost.com
2896	svchost.com
3048	svchost.com
3048	svchost.com
328	svchost.com
328	svchost.com
1780	svchost.com
1780	svchost.com
992	svchost.com
992	svchost.com
2520	svchost.com
2520	svchost.com
2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
1156	svchost.com
1156	svchost.com
1148	svchost.com
1148	svchost.com
1772	svchost.com
1772	svchost.com
2232	svchost.com
2232	svchost.com
2776	svchost.com
2776	svchost.com
1512	svchost.com
1512	svchost.com
2564	svchost.com
2564	svchost.com
2596	svchost.com
2596	svchost.com
2664	svchost.com
2664	svchost.com
1924	svchost.com
1924	svchost.com
2916	svchost.com
2916	svchost.com
2928	svchost.com
2928	svchost.com
1644	svchost.com
1644	svchost.com
2528	svchost.com
2528	svchost.com
2292	svchost.com
2292	svchost.com
2884	svchost.com
2884	svchost.com
1892	svchost.com
1892	svchost.com
2796	svchost.com
2796	svchost.com
2304	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE

Modifies registry class 1 IoCs

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE

description	pid	Process	procid_target
PID 2684 wrote to memory of 2740	2684	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2740	2684	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2740	2684	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2740	2684	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	31
PID 2740 wrote to memory of 2416	2740	svchost.exe	32
PID 2740 wrote to memory of 2416	2740	svchost.exe	32
PID 2740 wrote to memory of 2416	2740	svchost.exe	32
PID 2740 wrote to memory of 2416	2740	svchost.exe	32
PID 2416 wrote to memory of 2732	2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2732	2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2732	2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2732	2416	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	34
PID 2732 wrote to memory of 2712	2732	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2712	2732	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2712	2732	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2712	2732	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	35
PID 2712 wrote to memory of 2560	2712	svchost.exe	36
PID 2712 wrote to memory of 2560	2712	svchost.exe	36
PID 2712 wrote to memory of 2560	2712	svchost.exe	36
PID 2712 wrote to memory of 2560	2712	svchost.exe	36
PID 2560 wrote to memory of 2360	2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2360	2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2360	2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2360	2560	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	37
PID 2360 wrote to memory of 828	2360	svchost.com	38
PID 2360 wrote to memory of 828	2360	svchost.com	38
PID 2360 wrote to memory of 828	2360	svchost.com	38
PID 2360 wrote to memory of 828	2360	svchost.com	38
PID 828 wrote to memory of 2896	828	4668F8~1.EXE	39
PID 828 wrote to memory of 2896	828	4668F8~1.EXE	39
PID 828 wrote to memory of 2896	828	4668F8~1.EXE	39
PID 828 wrote to memory of 2896	828	4668F8~1.EXE	39
PID 2896 wrote to memory of 2924	2896	svchost.com	40
PID 2896 wrote to memory of 2924	2896	svchost.com	40
PID 2896 wrote to memory of 2924	2896	svchost.com	40
PID 2896 wrote to memory of 2924	2896	svchost.com	40
PID 2924 wrote to memory of 3048	2924	4668F8~1.EXE	41
PID 2924 wrote to memory of 3048	2924	4668F8~1.EXE	41
PID 2924 wrote to memory of 3048	2924	4668F8~1.EXE	41
PID 2924 wrote to memory of 3048	2924	4668F8~1.EXE	41
PID 3048 wrote to memory of 2800	3048	svchost.com	42
PID 3048 wrote to memory of 2800	3048	svchost.com	42
PID 3048 wrote to memory of 2800	3048	svchost.com	42
PID 3048 wrote to memory of 2800	3048	svchost.com	42
PID 2800 wrote to memory of 328	2800	4668F8~1.EXE	43
PID 2800 wrote to memory of 328	2800	4668F8~1.EXE	43
PID 2800 wrote to memory of 328	2800	4668F8~1.EXE	43
PID 2800 wrote to memory of 328	2800	4668F8~1.EXE	43
PID 328 wrote to memory of 2792	328	svchost.com	44
PID 328 wrote to memory of 2792	328	svchost.com	44
PID 328 wrote to memory of 2792	328	svchost.com	44
PID 328 wrote to memory of 2792	328	svchost.com	44
PID 2792 wrote to memory of 1780	2792	4668F8~1.EXE	45
PID 2792 wrote to memory of 1780	2792	4668F8~1.EXE	45
PID 2792 wrote to memory of 1780	2792	4668F8~1.EXE	45
PID 2792 wrote to memory of 1780	2792	4668F8~1.EXE	45
PID 1780 wrote to memory of 2816	1780	svchost.com	46
PID 1780 wrote to memory of 2816	1780	svchost.com	46
PID 1780 wrote to memory of 2816	1780	svchost.com	46
PID 1780 wrote to memory of 2816	1780	svchost.com	46
PID 2816 wrote to memory of 992	2816	4668F8~1.EXE	47
PID 2816 wrote to memory of 992	2816	4668F8~1.EXE	47
PID 2816 wrote to memory of 992	2816	4668F8~1.EXE	47
PID 2816 wrote to memory of 992	2816	4668F8~1.EXE	47

C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        65⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        66⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        67⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        68⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        69⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        70⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        71⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        72⤵
        
        PID:2136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        73⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        74⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        76⤵
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        79⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        80⤵
        Drops file in Windows directory
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        81⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        82⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        83⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        84⤵
        Drops file in Windows directory
        
        PID:1172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        85⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        86⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        87⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        89⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        90⤵
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        91⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        92⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        93⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        94⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        95⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        96⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        97⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        98⤵
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        99⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        100⤵
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        101⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        102⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        104⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        106⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        107⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        108⤵
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        109⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        110⤵
        
        PID:832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        111⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        112⤵
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        113⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        115⤵
        Drops file in Windows directory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        116⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        117⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        118⤵
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        119⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        121⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        122⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        125⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        126⤵
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        127⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        128⤵
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        129⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        130⤵
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        132⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        133⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        134⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        135⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        136⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        138⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        139⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        140⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        141⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        142⤵
        Drops file in Windows directory
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        143⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        144⤵
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        145⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        146⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        147⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        148⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        149⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        150⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        151⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        152⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        153⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        154⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        155⤵
        Drops file in Windows directory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        156⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        157⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        159⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        160⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        162⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        163⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        165⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        166⤵
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        167⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        168⤵
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        169⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        170⤵
        Drops file in Windows directory
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        171⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        172⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        174⤵
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        176⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        177⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        178⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        179⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        180⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        181⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        182⤵
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        183⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        185⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        186⤵
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        187⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        188⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        189⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        190⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        192⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        193⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        194⤵
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        195⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        196⤵
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        198⤵
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        200⤵
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        201⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        202⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        203⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        204⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        206⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        207⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        208⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        209⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        210⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        211⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        212⤵
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        213⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        215⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        216⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        217⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        218⤵
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        219⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        220⤵
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        221⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        222⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        223⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        224⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        225⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        226⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        227⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        228⤵
        Drops file in Windows directory
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        229⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        230⤵
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        231⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        232⤵
        Drops file in Windows directory
        
        PID:1432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        233⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        234⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        236⤵
        Drops file in Windows directory
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        237⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        238⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        239⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        240⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        241⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        242⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        243⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        244⤵
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        246⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        247⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        248⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        249⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        250⤵
        Drops file in Windows directory
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        251⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        252⤵
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        254⤵
        
        PID:280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        255⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        256⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        257⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        258⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        259⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        260⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        261⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        262⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        263⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        264⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        265⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        266⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        267⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        269⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        270⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        271⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        272⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        273⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        274⤵
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        276⤵
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        277⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        278⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        279⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        282⤵
        
        PID:316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        283⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        284⤵
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        285⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        286⤵
        Drops file in Windows directory
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        287⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        288⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        289⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        290⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        292⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        293⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        294⤵
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        295⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        297⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        298⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        299⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        300⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        301⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        302⤵
        Drops file in Windows directory
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        303⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        305⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        306⤵
        Drops file in Windows directory
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        307⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        308⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        309⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        310⤵
        
        PID:480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        311⤵
        Drops file in Windows directory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        312⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        314⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        315⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        316⤵
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        317⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        318⤵
        Drops file in Windows directory
        
        PID:1116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        319⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        321⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        322⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        323⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        324⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        325⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        326⤵
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        327⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        328⤵
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        329⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        331⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        332⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        333⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        334⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        335⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        336⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        337⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        338⤵
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        339⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        340⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        341⤵
        Drops file in Windows directory
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        342⤵
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        343⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        345⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        346⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        347⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        348⤵
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        349⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        350⤵
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        352⤵
        Drops file in Windows directory
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        354⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        355⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        356⤵
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        357⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        358⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        359⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        360⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        361⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        362⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        364⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        365⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        366⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        367⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        368⤵
        
        PID:328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        369⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        370⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        371⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        372⤵
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        374⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        375⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        376⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        377⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        378⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        379⤵
        Drops file in Windows directory
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        380⤵
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        381⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        382⤵
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        383⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        385⤵
        Drops file in Windows directory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        386⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        387⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        388⤵
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        389⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        390⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        391⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        392⤵
        Drops file in Windows directory
        
        PID:280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        393⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        394⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        395⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        396⤵
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        397⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        398⤵
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        399⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        400⤵
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        401⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        402⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        403⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        404⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        405⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        406⤵
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        407⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        408⤵
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        409⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        410⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        411⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        412⤵
        
        PID:336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        413⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        414⤵
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        415⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        416⤵
        Drops file in Windows directory
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        417⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        418⤵
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        419⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        420⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        421⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        422⤵
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        423⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        424⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        425⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        426⤵
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        427⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        428⤵
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        429⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        430⤵
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        431⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        432⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        433⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        434⤵
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        435⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        436⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        437⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        438⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        439⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        440⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        441⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        442⤵
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        443⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        444⤵
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        445⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        446⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        447⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        448⤵
        System Location Discovery: System Language Discovery
        
        PID:156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        449⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        450⤵
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        451⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        452⤵
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        453⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        454⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        455⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        456⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        457⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        458⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        459⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        460⤵
        
        PID:328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        461⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        462⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        463⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        464⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        465⤵
        Drops file in Windows directory
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        466⤵
        Drops file in Windows directory
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        467⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        468⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        469⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        470⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        471⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        472⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        473⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        474⤵
        Drops file in Windows directory
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        475⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        476⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        477⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        478⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        479⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        480⤵
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        481⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        482⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        483⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        484⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        485⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        486⤵
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        487⤵
        Drops file in Windows directory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        488⤵
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        489⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        490⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        491⤵
        Drops file in Windows directory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        492⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        493⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        494⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        495⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        496⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        497⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        498⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        499⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        500⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        501⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        502⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        503⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        504⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        505⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        506⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        507⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        508⤵
        Drops file in Windows directory
        
        PID:1432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        509⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        510⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        511⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        512⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        513⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        514⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        515⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        516⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        517⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        518⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        519⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        520⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        521⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        522⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        523⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        524⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        525⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        526⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        527⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        528⤵
        
        PID:1420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        529⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        530⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        531⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        532⤵
        
        PID:996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        533⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        534⤵
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        535⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        536⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        537⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        538⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        539⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        540⤵
        
        PID:2960

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
542KB

MD5
59b062c6534098742f02494d0b83665e

SHA1
7206df0d4452c5dbdd696574bf8f45649a665166

SHA256
e8a645825503418da8addd775a99ce3f35b5f65848be7aed6444348bb95a1ce1

SHA512
92557c5af24c47bc296a6ced2c7af7e564936c7a4bd22739ab61f0f9e73129906e235512dc001cd5748c4dc907aa1e0700c71df65fc1da48f73b268676ad810b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
f5e45b901cf9b09d27350d0ff4b8f490

SHA1
c55c51274b0eccb59d43bdd1846a7bbe5d79a4bd

SHA256
86b65c2100838bb30c91841c506a26e9f8a65bc41fd4674b3fb1827837c2974f

SHA512
258b20e5ac14e32436560937ad1d2390b4ef6ac01eb9c23430940e5fe57ff220602dcfa533d4a3c42dc9fc43ebf7a89adca119847e686129efd22caff981371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
166KB

MD5
9e194234c9c13aab3938a82f121e7012

SHA1
8f98b3e7fab10feecdca9578bd53b2808793dda9

SHA256
64396c56f15e3b0ee552c98ab0fe1ab6bfbba0a0e0b1643548480b1270eca4f7

SHA512
a159b2491025c4ed2f8bcfb42668ec4724aed09a3c73adcb62252a426962e5f3fe3c4bd0ede34a197f2848706153a24bdac0e9807c11af60e727dd9170048703

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
9a4a63f442e9d6f7ffac2f7a49b1105d

SHA1
a10706774bf8e3a84258b7c2aef3670184e334f1

SHA256
1c9207d65c6cbb9da89f1489a1df0495f4873dac93a03cff9d0c0ae37a18286c

SHA512
3178c27a62c82ccd0642289f3f09c28b95253cee1d85ffe3c6b9d72caa2e390cf31af1c380d0427af6616ac059a2da3b4d3cab99e7a29551f046852f2c57d419

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e670f44a849dbb9aed35fca3199748ac

SHA1
15c28fdff201678ade6d03e410671b6a44a95a1e

SHA256
fdef4676d98ac1b29431af4f843a9dd5268f4bc539acff19a232cfba409eef19

SHA512
d76817fe47ab062dbdcaf34b393ba8c30f351eaafd32497a29fbaf4f2a2cd602417a2bd986f475a3cffdebead2ffa4466ac4ad2de23525d693d73091330500d9

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
130KB

MD5
cc2f24a4f1ab83d29c0a3eebc2662114

SHA1
e1deb06e719d78b29ec8dc442f3d06ed6266551d

SHA256
e46a6ea40ec3527ecca9925ae25f58bfd1be70c76dddbdf6ed727fd7338f7f90

SHA512
646e56a32f01e6574a2c15d70238f5c3bffcc358ea75bbd24c38bca0711abc7a21a2ebc08fe129741dca922d49a88e1f671270fdb72d82c3cf6e68cbd94be45b

Download Submit
\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
206KB

MD5
a5a0546260486a83fb92a055450fbb7d

SHA1
789ac0c2868fedd0d3498398e54fc38cdff0475b

SHA256
cad84b2e4f3890c43c4aec47199f28de378df861f93c631323fbe6e5d1f42ba0

SHA512
1dfe9c2125a3c7cba4b7180f56e4f2f96d24bf90ce64ddeff0a3419c9ef46b672197d231e3737ff02fbf44fb7cea64e1e357f6eb010c1325ea0e53dec8d2fe9d

Download Submit
memory/276-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/328-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/924-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/992-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1148-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1220-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1300-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1436-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1444-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1496-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1512-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1644-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1780-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1832-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1892-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2304-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2488-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2616-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-49-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2732-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2740-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2776-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2800-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2832-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2916-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2976-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download