neshta | e65db561681f6da6967d62a399aaa46db04c89ea12a234f2f33685d44530186d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
Size

242KB
MD5

4668f88c02b5fbf98316a17eccf6a220
SHA1

6b326ac6b389fc09939db609ff8e2c525a7916bf
SHA256

e65db561681f6da6967d62a399aaa46db04c89ea12a234f2f33685d44530186d
SHA512

a2434b9a975ef429e33e3ce6ae97184eae414c89e2fc64341d2c9c14c23b06eb471ac593103a488827b0fa4694340d2dfaaef5c5ce0c6a48d25b7864a6ede7c8
SSDEEP

6144:byH7xOc6H5c6HcT66vlmrIzZHfsvwLQUePSeqTFyH7xOc6H5c6HcT66vlmr+UePH:bazzZ/svwzePSRa+ePSK

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4668F8~1.EXE

Executes dropped EXE 64 IoCs

Processes:

svchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE

pid	Process
1380	svchost.exe
4264	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
1140	svchost.exe
1060	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
4420	svchost.exe
2220	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
1436	svchost.com
1996	4668F8~1.EXE
1928	svchost.com
4204	4668F8~1.EXE
1352	svchost.com
4208	4668F8~1.EXE
512	svchost.com
1968	4668F8~1.EXE
1732	svchost.com
516	4668F8~1.EXE
3576	svchost.com
3044	4668F8~1.EXE
5008	svchost.com
4704	4668F8~1.EXE
3308	svchost.com
4344	4668F8~1.EXE
5036	svchost.com
4872	4668F8~1.EXE
1964	svchost.com
2432	4668F8~1.EXE
4924	svchost.com
1488	4668F8~1.EXE
3676	svchost.com
1332	4668F8~1.EXE
4136	svchost.com
2064	4668F8~1.EXE
1772	svchost.com
3408	4668F8~1.EXE
744	svchost.com
1048	4668F8~1.EXE
540	svchost.com
4004	4668F8~1.EXE
1824	svchost.com
4996	4668F8~1.EXE
3044	svchost.com
4440	4668F8~1.EXE
2044	svchost.com
1704	4668F8~1.EXE
216	svchost.com
2964	4668F8~1.EXE
2652	svchost.com
3956	4668F8~1.EXE
8	svchost.com
3688	4668F8~1.EXE
1692	svchost.com
2788	4668F8~1.EXE
428	svchost.com
1224	4668F8~1.EXE
5112	svchost.com
1764	4668F8~1.EXE
5108	svchost.com
816	4668F8~1.EXE
3332	svchost.com
1604	4668F8~1.EXE
1064	svchost.com
1776	4668F8~1.EXE
4956	svchost.com
860	4668F8~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\directx.sys	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	4668F8~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXE4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.comsvchost.com4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXEsvchost.comsvchost.com4668F8~1.EXEsvchost.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4668F8~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

Processes:

4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE4668F8~1.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	4668F8~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.exe4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exesvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXEsvchost.com4668F8~1.EXE

description	pid	Process	procid_target
PID 3688 wrote to memory of 1380	3688	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	84
PID 3688 wrote to memory of 1380	3688	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	84
PID 3688 wrote to memory of 1380	3688	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	84
PID 1380 wrote to memory of 4264	1380	svchost.exe	85
PID 1380 wrote to memory of 4264	1380	svchost.exe	85
PID 1380 wrote to memory of 4264	1380	svchost.exe	85
PID 4264 wrote to memory of 1060	4264	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	88
PID 4264 wrote to memory of 1060	4264	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	88
PID 4264 wrote to memory of 1060	4264	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	88
PID 1060 wrote to memory of 4420	1060	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	89
PID 1060 wrote to memory of 4420	1060	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	89
PID 1060 wrote to memory of 4420	1060	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	89
PID 4420 wrote to memory of 2220	4420	svchost.exe	91
PID 4420 wrote to memory of 2220	4420	svchost.exe	91
PID 4420 wrote to memory of 2220	4420	svchost.exe	91
PID 2220 wrote to memory of 1436	2220	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	92
PID 2220 wrote to memory of 1436	2220	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	92
PID 2220 wrote to memory of 1436	2220	4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe	92
PID 1436 wrote to memory of 1996	1436	svchost.com	93
PID 1436 wrote to memory of 1996	1436	svchost.com	93
PID 1436 wrote to memory of 1996	1436	svchost.com	93
PID 1996 wrote to memory of 1928	1996	4668F8~1.EXE	95
PID 1996 wrote to memory of 1928	1996	4668F8~1.EXE	95
PID 1996 wrote to memory of 1928	1996	4668F8~1.EXE	95
PID 1928 wrote to memory of 4204	1928	svchost.com	96
PID 1928 wrote to memory of 4204	1928	svchost.com	96
PID 1928 wrote to memory of 4204	1928	svchost.com	96
PID 4204 wrote to memory of 1352	4204	4668F8~1.EXE	97
PID 4204 wrote to memory of 1352	4204	4668F8~1.EXE	97
PID 4204 wrote to memory of 1352	4204	4668F8~1.EXE	97
PID 1352 wrote to memory of 4208	1352	svchost.com	98
PID 1352 wrote to memory of 4208	1352	svchost.com	98
PID 1352 wrote to memory of 4208	1352	svchost.com	98
PID 4208 wrote to memory of 512	4208	4668F8~1.EXE	99
PID 4208 wrote to memory of 512	4208	4668F8~1.EXE	99
PID 4208 wrote to memory of 512	4208	4668F8~1.EXE	99
PID 512 wrote to memory of 1968	512	svchost.com	100
PID 512 wrote to memory of 1968	512	svchost.com	100
PID 512 wrote to memory of 1968	512	svchost.com	100
PID 1968 wrote to memory of 1732	1968	4668F8~1.EXE	101
PID 1968 wrote to memory of 1732	1968	4668F8~1.EXE	101
PID 1968 wrote to memory of 1732	1968	4668F8~1.EXE	101
PID 1732 wrote to memory of 516	1732	svchost.com	102
PID 1732 wrote to memory of 516	1732	svchost.com	102
PID 1732 wrote to memory of 516	1732	svchost.com	102
PID 516 wrote to memory of 3576	516	4668F8~1.EXE	103
PID 516 wrote to memory of 3576	516	4668F8~1.EXE	103
PID 516 wrote to memory of 3576	516	4668F8~1.EXE	103
PID 3576 wrote to memory of 3044	3576	svchost.com	127
PID 3576 wrote to memory of 3044	3576	svchost.com	127
PID 3576 wrote to memory of 3044	3576	svchost.com	127
PID 3044 wrote to memory of 5008	3044	4668F8~1.EXE	105
PID 3044 wrote to memory of 5008	3044	4668F8~1.EXE	105
PID 3044 wrote to memory of 5008	3044	4668F8~1.EXE	105
PID 5008 wrote to memory of 4704	5008	svchost.com	106
PID 5008 wrote to memory of 4704	5008	svchost.com	106
PID 5008 wrote to memory of 4704	5008	svchost.com	106
PID 4704 wrote to memory of 3308	4704	4668F8~1.EXE	107
PID 4704 wrote to memory of 3308	4704	4668F8~1.EXE	107
PID 4704 wrote to memory of 3308	4704	4668F8~1.EXE	107
PID 3308 wrote to memory of 4344	3308	svchost.com	108
PID 3308 wrote to memory of 4344	3308	svchost.com	108
PID 3308 wrote to memory of 4344	3308	svchost.com	108
PID 4344 wrote to memory of 5036	4344	4668F8~1.EXE	109

C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        65⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        66⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        67⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        68⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        69⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        70⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        71⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        72⤵
        Modifies registry class
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        73⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        74⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        76⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        80⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        81⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        82⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        83⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        84⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        86⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        87⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        89⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        91⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        92⤵
        
        PID:516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        94⤵
        Checks computer location settings
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        95⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        98⤵
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        99⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        100⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        101⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        102⤵
        Modifies registry class
        
        PID:1420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        103⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        104⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        105⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        106⤵
        Checks computer location settings
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        107⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        108⤵
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        109⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        110⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        111⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        112⤵
        Checks computer location settings
        
        PID:5028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        115⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        116⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        117⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        118⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        119⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        120⤵
        
        PID:3236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        121⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        122⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        123⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        124⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        125⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        126⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        127⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        128⤵
        Checks computer location settings
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        129⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        130⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        131⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        132⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        133⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        134⤵
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        135⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        136⤵
        Checks computer location settings
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        138⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        139⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        140⤵
        Modifies registry class
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        141⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        142⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        143⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        144⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        145⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        146⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        147⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        148⤵
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        149⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        150⤵
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        152⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        154⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        155⤵
        Drops file in Windows directory
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        156⤵
        Drops file in Windows directory
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        157⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        160⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        161⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        162⤵
        Checks computer location settings
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        163⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        164⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        165⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        167⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        168⤵
        Checks computer location settings
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        170⤵
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        173⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        174⤵
        Checks computer location settings
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        175⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        176⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        178⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        180⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        181⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        183⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        184⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        186⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        187⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        189⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        190⤵
        Checks computer location settings
        
        PID:3656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        192⤵
        Drops file in Windows directory
        
        PID:4008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        193⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        194⤵
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        195⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        196⤵
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        197⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        198⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        199⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        200⤵
        Drops file in Windows directory
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        201⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        202⤵
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        203⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        204⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        205⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        206⤵
        
        PID:968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        207⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        208⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        209⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        210⤵
        Checks computer location settings
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        212⤵
        Checks computer location settings
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        213⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        214⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        215⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        216⤵
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        217⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        219⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        220⤵
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        221⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        222⤵
        
        PID:516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        223⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        224⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        225⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        226⤵
        Checks computer location settings
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        227⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        228⤵
        
        PID:3520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        230⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        231⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        232⤵
        Checks computer location settings
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        233⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        234⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        236⤵
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        238⤵
        Modifies registry class
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        240⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        241⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        242⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        243⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        244⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        245⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        246⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        247⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        248⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        249⤵
        Drops file in Windows directory
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        250⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        252⤵
        Drops file in Windows directory
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        253⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        254⤵
        Checks computer location settings
        Modifies registry class
        
        PID:972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        255⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        256⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        258⤵
        
        PID:1196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        259⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        260⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        261⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        262⤵
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        264⤵
        Modifies registry class
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        265⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        266⤵
        Modifies registry class
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        267⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        268⤵
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        270⤵
        Checks computer location settings
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        271⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        272⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        273⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        274⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        275⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        276⤵
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        277⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        278⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        279⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        280⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        281⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        282⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        283⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        284⤵
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        285⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        286⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        287⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        290⤵
        Checks computer location settings
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        292⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        293⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        294⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        295⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        296⤵
        Checks computer location settings
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        298⤵
        Drops file in Windows directory
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        299⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        300⤵
        Checks computer location settings
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        301⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        302⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        303⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        304⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        305⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        306⤵
        Modifies registry class
        
        PID:972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        307⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        308⤵
        Checks computer location settings
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        309⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        310⤵
        Checks computer location settings
        
        PID:164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        311⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        312⤵
        Modifies registry class
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        313⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        314⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        316⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        317⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        319⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        320⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        321⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        322⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        323⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        324⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        325⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        327⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        328⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        329⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        330⤵
        Modifies registry class
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        332⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        333⤵
        Drops file in Windows directory
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        334⤵
        Checks computer location settings
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        335⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        336⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        337⤵
        Drops file in Windows directory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        338⤵
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        339⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        340⤵
        Modifies registry class
        
        PID:3400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        341⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        342⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        343⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        345⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        346⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE"
        347⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\4668F8~1.EXE
        348⤵
        
        PID:540

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1824

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv nBKiuqiS0EGNTqr93euORw.0.2
1⤵
PID:1196

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
1ff58f7ee6deab1e58699f3f0e5b5be4

SHA1
94e3c42bf94b9769c70ee744bdc0e70667f8e3a5

SHA256
5ff1c1b8ec91383807cf5034bc617cfd55a39cf11104d90d749e8e5c8d191abb

SHA512
0fae1d263b6fbc150e0361455d169e5945795069831eb91cef661272f5aef98b48b5bf57d485851e02c9f0f44f43c00d93cd109093cd9922f40c306efa283b3e

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
5a0023ce23924c81b9faa2dafe8e3655

SHA1
da8600bcd00013108b87c2fed5cec5a26c0c9cfd

SHA256
9bf56f78be5d70b63a9d2138310c04bf8762362e8b5d8ffdaba6b836647a764a

SHA512
f66fc770495191838ad6033b4aec0c14db35e65ac5dad643836124a550858dfe5b08f04d77f46c262caf724d60277191ce945df59b6f696303f28dda1690e8f2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
644fd42f8199d1e407d58785a9c8c7d1

SHA1
e9302e4de73124554a63e96b1bc078819fd5c7e5

SHA256
859dd22745d751ba2e9a199e538c7e868b93374a63544e2feab24fb07607607e

SHA512
b49b2aec01371be504dd8eb7fcb1cbd31ce52cce7a8d5923ed2c48c89530d83dde65c96a54ab40be5f017f6a7b1ce051bbb2940978d8073a34b9ccaaaadb0bb2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
4ff3ec8fb07e488f73b413fd03e208d4

SHA1
296070a99a250d06ca2190ca42731eb594925204

SHA256
d7d2336c9a18e6cf8ad7c4e49dd00b3ac271eb197a268cfe0240fe9ee1df3293

SHA512
88d0f5b4ed6d8a6e939bf72b6d28b62b71da9fcc5f67cdff7f872718c76d186a26b5f6d4002df9583dcdee780dfb984420917459eb217e789173ead297e041a9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
8893d248ce9159eb1525c89689a7660b

SHA1
952b9f2fcb78ba978eb860861ff80a507b9c698c

SHA256
4d1c01445a1fefb9ece5040a7f448db10ae5cc52d272993f17e05d900fbf2cdb

SHA512
5e296eaf15eb371096f19b9c1534aba4b276f2d5e0846b4b658f2eeb6bac8cbfb5fa2a18f16c0855d3d1e04a4c3d2808633375be401fa4a206ad4eb5225b75f5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
edc65ae58777dc99b8cf382dd1e49bf9

SHA1
0cdf765874049ebe4ddd9757dd6ffc082de0ec3d

SHA256
e58ce9d40e727903784b00cbd406ef4fae1b763e50a0780dbac6e5eedfb17dc5

SHA512
e41c29688e23b28cf00ce2150784910d91d9fc7241c40838c3c16396cc0e647f8b248e044eb61289f21b993fdcde7ae731360a799edc4d964d7d40dbf3e2af9a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
eef18d8a14a9192416c3c9581f5e97bb

SHA1
38a531cc93ac67bf4c767fae2c87e92bf4910cbf

SHA256
c7d133591b56d13740fc3633e164bf57fa6a2ba0017900a98ab6cf7b472cab4b

SHA512
ee2108f04616bbe63efdda20d72643f72ff78f4bda417973340134399beabfbb3548f3bc9deb6f6973053f4b04e57b4b7d3feb8ba9d5e131725dba7deb61cf1f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
21516a7402075c88b2ee001e1d37a018

SHA1
988bd8f45e914c74b9c74dd11b19e9ac93a64977

SHA256
18fc59ff6e9bd1a69d148f5f901bbf1ba03f1549ab654c0e63b7d88ef9bb3446

SHA512
35f49d69308f79a9ae92982ae1ce03c121eb7744e39b42cce8494b490033aa86bbd6272676bf85b0dc42f559c436a5b718f64d02f057c2ea088fdeeb749846f7

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
c97e1b327254414efcab7987cfdafe7b

SHA1
2ff4fed38caa3c320c6c4a96cb94eba973ef1217

SHA256
afa9f95db1713dbf67f506e942074ec0f78f56bc6f8177488f241193940ea121

SHA512
2b876d34f3c3c3a9b6103f0070af2d380cd9089c78b57fd5a6a93b51c0152d8fedf6bfdabe51b26a3435068685bf108702327f04b3c3ce2129149bfc0c085062

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
026360af257f16011deda9af05e92620

SHA1
d693f70d65f1574b753d117edbdd73647e952c88

SHA256
7ada462c230c7460d519d004d11f20dd211392b29739cd86d7418a2ec4d166ca

SHA512
7e63c12cf612fcba2e9e2291bf3d6bcd81b485505b543ff23b5fe1df645660dd3e2b68649352d1b275abd68082aff5e15fabed40727855af905e18b3448dd8bb

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
1d5c737a02cdc93337100f856bac77c3

SHA1
843104548a4e2867d34cee2af558b8f82db5a14a

SHA256
14cd62c9dfdc1dca9dd15e419ed1ea4b108a716e82d20ffdbec51f0071e47cf8

SHA512
5d93c0fc01cd2fb8591f8c6567f48d6ab26dd322d46250e79064c4830186386555319a8ec4dba76afac6e7c0669627e1087bf152ca47f793f42e30dbbe8c2f7b

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
b4d8dec3a1e792fa14dd9162c5534c94

SHA1
04d13521d6813cf73095429fd0e541248cfb90c7

SHA256
39d7e5508989776948619b0a83b4625c370176e61a3e1cd15b8f6367924ea9de

SHA512
79e0c46e25aa8b5214b47045e03da7f6079ef537f972780d8376658c41740174da528911e82164fa0c26238373fea6829905e831c991b5425b0391d2b22b47d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
9a08bccf82c9d0c0b9756f9269ce183b

SHA1
1d76480833362a61bf7e2c643ca9d2850e38c9f9

SHA256
0cc7a8460fff253ec19431f0b844dbc8d38c2d5f6c16f4aa2f541e1ae41379b1

SHA512
41d929c72c53d627c8a85c3a6331b33afbc0cc4d80547e212232199d2fbdd02f1c3bc7e1466ca05109ffaba9a7b19b2779e4db8f9d6252fe5a0580e43b9eae1f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
851897dd38c91a2061ea5fd076d86731

SHA1
c281ee8b2c00cb601639789ad12db16310cb4dde

SHA256
af0d4459229c25b34bf77b77b71fbab5a67e6e4ee442016d4d7e623a2bf2b867

SHA512
549e1be552749df3a590f6b90656833ce51e12015305ab3edc17b9f864bd16be3f294be51ec105815b32abdb7778436cc02ef7d1514d31fb1319af1c630ed142

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdfc83c4cbe4e57f274a72ce9c27f8fb

SHA1
69d3d615d89406ac0430ce61c23f3e511fd26e07

SHA256
21f1154d2d12f0c2de2f1c30187080387072cf6a0c82c44f2de828f72b6d8a77

SHA512
0eea64043602c7f4fe8de149538bd6bc54ce83a863efe0118b01179a661956e56149ab3f2be316bb1a56b01f0ff3465689681e4d8a56f60a31fb8c3d35afd1e2

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
f953f17def705e78cfda65e2d592f590

SHA1
58b96decc4d206b8e0d13b6ea60ef27ba35de0ab

SHA256
43706f6c3b9413ff8922c34110c0e6d8dc661bce45f5f377e166f17051634454

SHA512
26429ea487ca28f46173ef94ebbcc0eb36b61d48f7c143041a38df590a51235f6f3f8556dd297b51ee047158cc5fa9f1635ab5d4dc291baf5e62552c1ab5c33f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
5c895865d4d15a8effe71d3df7add5ab

SHA1
8ccb3e147d96cd2231f50d86b35bc4ce5b9ec222

SHA256
13290aff5ca139c1430b2a1b29810f91b624ba88299a9b8c74aad8e353a76fae

SHA512
2408af1f10c4d6a79d0d49ecc33680401ec50cf173fb8ed8e0372ca937dba61cd25bc5de26a7e635e928d9caf551bfe227324d155507c53b0ae33a4dfbe20ec5

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
e172b13ea62e4b9b4f80e21d9cbb343c

SHA1
816ea5486cad7d89d89062c4c9714b06ed8f5462

SHA256
a0b9350e0529b5346be4114227b313f8b1b39abccb58b771b98c68dbada61d6e

SHA512
0d72530c91a5714258153a604712c6d95b918bc95b5604e5215eb41d9152086bb71f6f20e02980eb53d532b65a6415ce13878917a8e573900d4bfbe9173ef061

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
04fc206a864d547593ab2340db28245c

SHA1
6ebbc448b288708c05429f5a13524327e17e38ed

SHA256
b411a0ce8910551f3752c7ae32e52080aede69a81f993effd9e51f1d38b1151e

SHA512
283aee0b323dde39c95650698f8d017e936ace1418cae0458cd8e5183b0875e48f5a9f8a5b4b6228f647b95eb9063299b3b654df723dbc850fd1dc1b2c32c07b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
15f802e67a317680f7935449591beef3

SHA1
939f572f606663d88ba821f9c192242f15af3653

SHA256
79f6e1f21b652fa39d6c105d2e88edac39e9da24637f49adc68304920d4ff6bd

SHA512
e561ef6b8077594b8556f95de7e8ac11ae1fe0cc4684fc1ea2cb2e70376ca733cdbbe5d949c0cb7a66f98f4ed5196d94d2a59cdbd23bfafd9b61e90fb13f4f5a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
d9e17bf4ef0e49abb4e9df9e24e1e133

SHA1
bada7ec154577d372e39a24dc872f162e0c84ba3

SHA256
5be12de155bcdd10ac9c7fbeca2c8fc4ed3f3fc36a43e334ec3e0b6a63fe9bd2

SHA512
125eebc8a84f55df5861b533074be6e8f1fc3162c44d66b909a1db44c689813c0365a065f3b810a62caafd339249ed0e7049490083d66fbde6fb45b9c332b82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
166KB

MD5
9e194234c9c13aab3938a82f121e7012

SHA1
8f98b3e7fab10feecdca9578bd53b2808793dda9

SHA256
64396c56f15e3b0ee552c98ab0fe1ab6bfbba0a0e0b1643548480b1270eca4f7

SHA512
a159b2491025c4ed2f8bcfb42668ec4724aed09a3c73adcb62252a426962e5f3fe3c4bd0ede34a197f2848706153a24bdac0e9807c11af60e727dd9170048703

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
130KB

MD5
cc2f24a4f1ab83d29c0a3eebc2662114

SHA1
e1deb06e719d78b29ec8dc442f3d06ed6266551d

SHA256
e46a6ea40ec3527ecca9925ae25f58bfd1be70c76dddbdf6ed727fd7338f7f90

SHA512
646e56a32f01e6574a2c15d70238f5c3bffcc358ea75bbd24c38bca0711abc7a21a2ebc08fe129741dca922d49a88e1f671270fdb72d82c3cf6e68cbd94be45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4668f88c02b5fbf98316a17eccf6a220_JaffaCakes118.exe

Filesize
206KB

MD5
a5a0546260486a83fb92a055450fbb7d

SHA1
789ac0c2868fedd0d3498398e54fc38cdff0475b

SHA256
cad84b2e4f3890c43c4aec47199f28de378df861f93c631323fbe6e5d1f42ba0

SHA512
1dfe9c2125a3c7cba4b7180f56e4f2f96d24bf90ce64ddeff0a3419c9ef46b672197d231e3737ff02fbf44fb7cea64e1e357f6eb010c1325ea0e53dec8d2fe9d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
9a4a63f442e9d6f7ffac2f7a49b1105d

SHA1
a10706774bf8e3a84258b7c2aef3670184e334f1

SHA256
1c9207d65c6cbb9da89f1489a1df0495f4873dac93a03cff9d0c0ae37a18286c

SHA512
3178c27a62c82ccd0642289f3f09c28b95253cee1d85ffe3c6b9d72caa2e390cf31af1c380d0427af6616ac059a2da3b4d3cab99e7a29551f046852f2c57d419

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e670f44a849dbb9aed35fca3199748ac

SHA1
15c28fdff201678ade6d03e410671b6a44a95a1e

SHA256
fdef4676d98ac1b29431af4f843a9dd5268f4bc539acff19a232cfba409eef19

SHA512
d76817fe47ab062dbdcaf34b393ba8c30f351eaafd32497a29fbaf4f2a2cd602417a2bd986f475a3cffdebead2ffa4466ac4ad2de23525d693d73091330500d9

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/8-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/428-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/512-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/516-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/744-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/816-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/860-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1064-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1224-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1332-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1380-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1436-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1488-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1604-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2432-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3332-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3408-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3676-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3688-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3688-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3956-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4136-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4204-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4208-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4344-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4420-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4440-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4996-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5036-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download