neshta | 56d93b29c4db52fe2e336ebeb5377e2c8f72523ea9b527beaef8821c306796d8

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
Size

364KB
MD5

aac6660541b72842f5e7902b3bd5de3f
SHA1

04c86541e7569a6889311691ed852bfa1933e379
SHA256

56d93b29c4db52fe2e336ebeb5377e2c8f72523ea9b527beaef8821c306796d8
SHA512

16c6b3433ef398a7fa3e93a5165ff6f9f9b9bffdb238d61c3617303dc25e2376f5eddc37e1c475a0d5740c4e9e3373f85534e03e97957cb22e7d2bb1e20d6e88
SSDEEP

6144:k9PjDmRAs7pM3t6nHaCLrob5P9+UeRUq6tyH7xOc6H5c6HcT66vlmr:Of8zbobNeWa

Score

10^/10

neshta discovery persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x00060000000186f2-20.dat	family_neshta
behavioral1/files/0x00060000000186f8-33.dat	family_neshta
behavioral1/files/0x0001000000010314-38.dat	family_neshta
behavioral1/files/0x0001000000010312-37.dat	family_neshta
behavioral1/files/0x0009000000010663-36.dat	family_neshta
behavioral1/files/0x0029000000010667-35.dat	family_neshta
behavioral1/memory/2844-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2828-51-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-67-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2624-66-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2588-81-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2284-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/548-95-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1996-94-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1984-109-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2660-108-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2000-123-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2316-122-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7e5-138.dat	family_neshta
behavioral1/files/0x000100000000f82c-145.dat	family_neshta
behavioral1/memory/1296-152-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2924-151-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2536-174-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1080-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/316-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/308-194-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1536-203-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1664-204-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1784-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1040-217-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3000-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/884-229-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1804-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1696-254-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2712-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1808-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2724-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2736-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2708-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2604-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/640-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2164-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1996-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1032-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2804-323-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2820-322-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1984-331-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2008-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1720-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1988-338-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2928-346-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2612-352-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2936-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2144-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2924-363-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/700-362-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2940-373-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/812-372-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/692-381-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1860-380-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1732-389-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1600-388-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
2652	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
1808	svchost.exe
2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2828	svchost.com
2844	AAC666~1.EXE
2884	svchost.exe
2796	svchost.com
2624	AAC666~1.EXE
2588	svchost.com
2284	AAC666~1.EXE
1996	svchost.com
548	AAC666~1.EXE
1984	svchost.com
2660	AAC666~1.EXE
2316	svchost.com
2000	AAC666~1.EXE
1296	svchost.com
2924	AAC666~1.EXE
2536	svchost.com
1080	AAC666~1.EXE
316	svchost.com
308	AAC666~1.EXE
1664	svchost.com
1536	AAC666~1.EXE
1784	svchost.com
1040	AAC666~1.EXE
3000	svchost.com
884	AAC666~1.EXE
1804	svchost.com
1696	AAC666~1.EXE
2712	svchost.com
2720	AAC666~1.EXE
1808	svchost.com
2724	AAC666~1.EXE
2736	svchost.com
2708	AAC666~1.EXE
2796	svchost.com
2604	AAC666~1.EXE
2164	svchost.com
640	AAC666~1.EXE
1032	svchost.com
1996	AAC666~1.EXE
2804	svchost.com
2820	AAC666~1.EXE
1984	svchost.com
2008	AAC666~1.EXE
1720	svchost.com
1988	AAC666~1.EXE
2612	svchost.com
2928	AAC666~1.EXE
2936	svchost.com
2144	AAC666~1.EXE
2924	svchost.com
700	AAC666~1.EXE
812	svchost.com
2940	AAC666~1.EXE
692	svchost.com
1860	AAC666~1.EXE
1600	svchost.com
1732	AAC666~1.EXE
2136	svchost.com
1752	AAC666~1.EXE
2516	svchost.com
1536	AAC666~1.EXE

Loads dropped DLL 64 IoCs

pid	Process
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
1808	svchost.exe
1808	svchost.exe
2828	svchost.com
2828	svchost.com
2796	svchost.com
2796	svchost.com
2588	svchost.com
2588	svchost.com
1996	svchost.com
1996	svchost.com
1984	svchost.com
1984	svchost.com
2316	svchost.com
2316	svchost.com
1296	svchost.com
1296	svchost.com
2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2536	svchost.com
2536	svchost.com
316	svchost.com
316	svchost.com
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
1664	svchost.com
1664	svchost.com
1784	svchost.com
1784	svchost.com
3000	svchost.com
3000	svchost.com
1804	svchost.com
1804	svchost.com
2712	svchost.com
2712	svchost.com
1808	svchost.com
1808	svchost.com
2736	svchost.com
2736	svchost.com
2796	svchost.com
2796	svchost.com
2164	svchost.com
2164	svchost.com
1032	svchost.com
1032	svchost.com
2804	svchost.com
2804	svchost.com
1984	svchost.com
1984	svchost.com
1720	svchost.com
1720	svchost.com
2612	svchost.com
2612	svchost.com
2936	svchost.com
2936	svchost.com
2924	svchost.com
2924	svchost.com
812	svchost.com
812	svchost.com
692	svchost.com
692	svchost.com
1600	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000186f2-1498.dat	upx
behavioral1/memory/2744-1502-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral1/memory/2744-1505-0x0000000000400000-0x0000000000499000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE
File opened for modification	C:\Windows\directx.sys	AAC666~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2988	2744	WerFault.exe	364

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AAC666~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2652	2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2652	2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2652	2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2652	2364	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	31
PID 2652 wrote to memory of 1808	2652	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	32
PID 2652 wrote to memory of 1808	2652	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	32
PID 2652 wrote to memory of 1808	2652	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	32
PID 2652 wrote to memory of 1808	2652	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2328	1808	svchost.exe	33
PID 1808 wrote to memory of 2328	1808	svchost.exe	33
PID 1808 wrote to memory of 2328	1808	svchost.exe	33
PID 1808 wrote to memory of 2328	1808	svchost.exe	33
PID 2328 wrote to memory of 2828	2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	34
PID 2328 wrote to memory of 2828	2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	34
PID 2328 wrote to memory of 2828	2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	34
PID 2328 wrote to memory of 2828	2328	aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe	34
PID 2828 wrote to memory of 2844	2828	svchost.com	35
PID 2828 wrote to memory of 2844	2828	svchost.com	35
PID 2828 wrote to memory of 2844	2828	svchost.com	35
PID 2828 wrote to memory of 2844	2828	svchost.com	35
PID 2844 wrote to memory of 2796	2844	AAC666~1.EXE	67
PID 2844 wrote to memory of 2796	2844	AAC666~1.EXE	67
PID 2844 wrote to memory of 2796	2844	AAC666~1.EXE	67
PID 2844 wrote to memory of 2796	2844	AAC666~1.EXE	67
PID 2796 wrote to memory of 2624	2796	svchost.com	38
PID 2796 wrote to memory of 2624	2796	svchost.com	38
PID 2796 wrote to memory of 2624	2796	svchost.com	38
PID 2796 wrote to memory of 2624	2796	svchost.com	38
PID 2624 wrote to memory of 2588	2624	AAC666~1.EXE	39
PID 2624 wrote to memory of 2588	2624	AAC666~1.EXE	39
PID 2624 wrote to memory of 2588	2624	AAC666~1.EXE	39
PID 2624 wrote to memory of 2588	2624	AAC666~1.EXE	39
PID 2588 wrote to memory of 2284	2588	svchost.com	40
PID 2588 wrote to memory of 2284	2588	svchost.com	40
PID 2588 wrote to memory of 2284	2588	svchost.com	40
PID 2588 wrote to memory of 2284	2588	svchost.com	40
PID 2284 wrote to memory of 1996	2284	AAC666~1.EXE	72
PID 2284 wrote to memory of 1996	2284	AAC666~1.EXE	72
PID 2284 wrote to memory of 1996	2284	AAC666~1.EXE	72
PID 2284 wrote to memory of 1996	2284	AAC666~1.EXE	72
PID 1996 wrote to memory of 548	1996	svchost.com	42
PID 1996 wrote to memory of 548	1996	svchost.com	42
PID 1996 wrote to memory of 548	1996	svchost.com	42
PID 1996 wrote to memory of 548	1996	svchost.com	42
PID 548 wrote to memory of 1984	548	AAC666~1.EXE	75
PID 548 wrote to memory of 1984	548	AAC666~1.EXE	75
PID 548 wrote to memory of 1984	548	AAC666~1.EXE	75
PID 548 wrote to memory of 1984	548	AAC666~1.EXE	75
PID 1984 wrote to memory of 2660	1984	svchost.com	44
PID 1984 wrote to memory of 2660	1984	svchost.com	44
PID 1984 wrote to memory of 2660	1984	svchost.com	44
PID 1984 wrote to memory of 2660	1984	svchost.com	44
PID 2660 wrote to memory of 2316	2660	AAC666~1.EXE	45
PID 2660 wrote to memory of 2316	2660	AAC666~1.EXE	45
PID 2660 wrote to memory of 2316	2660	AAC666~1.EXE	45
PID 2660 wrote to memory of 2316	2660	AAC666~1.EXE	45
PID 2316 wrote to memory of 2000	2316	svchost.com	46
PID 2316 wrote to memory of 2000	2316	svchost.com	46
PID 2316 wrote to memory of 2000	2316	svchost.com	46
PID 2316 wrote to memory of 2000	2316	svchost.com	46
PID 2000 wrote to memory of 1296	2000	AAC666~1.EXE	47
PID 2000 wrote to memory of 1296	2000	AAC666~1.EXE	47
PID 2000 wrote to memory of 1296	2000	AAC666~1.EXE	47
PID 2000 wrote to memory of 1296	2000	AAC666~1.EXE	47

C:\Users\Admin\AppData\Local\Temp\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        65⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        66⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        67⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        68⤵
        Drops file in Windows directory
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        69⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        71⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        72⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        73⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        74⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        75⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        76⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        77⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        80⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        81⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        82⤵
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        83⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        84⤵
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        85⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        86⤵
        Drops file in Windows directory
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        88⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        90⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        92⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        93⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        94⤵
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        95⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        96⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        97⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        98⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        99⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        101⤵
        Drops file in Windows directory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        102⤵
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        104⤵
        
        PID:908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        105⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        106⤵
        Drops file in Windows directory
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        107⤵
        Drops file in Windows directory
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        108⤵
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        109⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        110⤵
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        111⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        112⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        113⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        114⤵
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        116⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        118⤵
        Drops file in Windows directory
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        119⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        120⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        121⤵
        Drops file in Windows directory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        122⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        123⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        124⤵
        Drops file in Windows directory
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        125⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        126⤵
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        127⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        128⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        129⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        130⤵
        Drops file in Windows directory
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        131⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        132⤵
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        133⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        134⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        135⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        137⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        138⤵
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        139⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        141⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        142⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        143⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        144⤵
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        145⤵
        Drops file in Windows directory
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        146⤵
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        147⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        148⤵
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        149⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        150⤵
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        151⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        152⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        153⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        154⤵
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        155⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        156⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        157⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        158⤵
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        159⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        160⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        162⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        163⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        164⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        165⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        166⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        167⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        168⤵
        Drops file in Windows directory
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        171⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        172⤵
        Drops file in Windows directory
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        173⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        174⤵
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        175⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        177⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        178⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        180⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        181⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        183⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        184⤵
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        186⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        187⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        188⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        189⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        190⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        192⤵
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        195⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        196⤵
        Drops file in Windows directory
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        197⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        198⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        202⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        204⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        205⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        206⤵
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        207⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        208⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        210⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        211⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        212⤵
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        213⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        214⤵
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        215⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        217⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        218⤵
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        219⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        221⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        222⤵
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        223⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        225⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        226⤵
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        227⤵
        Drops file in Windows directory
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        228⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        229⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        230⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        231⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        232⤵
        Drops file in Windows directory
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        233⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        234⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        235⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        236⤵
        Drops file in Windows directory
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        238⤵
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        239⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        240⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        241⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        243⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        244⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        245⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        246⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        248⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        249⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        250⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        253⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        254⤵
        Drops file in Windows directory
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        255⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        256⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        257⤵
        Drops file in Windows directory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        258⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        259⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        260⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        261⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        262⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        264⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        265⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        267⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        268⤵
        Drops file in Windows directory
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        269⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        270⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        271⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        275⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        276⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        277⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        278⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        279⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        280⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        281⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        283⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        284⤵
        Drops file in Windows directory
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        285⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        286⤵
        Drops file in Windows directory
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        287⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        292⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        293⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        295⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        299⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        300⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        301⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        303⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        304⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        305⤵
        Drops file in Windows directory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        306⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        307⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        308⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        310⤵
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        311⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        312⤵
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        313⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        314⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        315⤵
        Drops file in Windows directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        318⤵
        
        PID:316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        319⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        321⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        322⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        323⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        324⤵
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        325⤵
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        326⤵
        Drops file in Windows directory
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        327⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        328⤵
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        329⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        330⤵
        Drops file in Windows directory
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        331⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        332⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE
        334⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 180
        335⤵
        Program crash
        
        PID:2988

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\AAC666~1.EXE

Filesize
248KB

MD5
76da98e25ad571fc697a9ec71c072780

SHA1
e1a53c30a20bcf0395028b83af76a55181b7072e

SHA256
6ef6309719b21c78ebbabc2afaef0e723a82ef249ec19b51798edb8aa03a33bd

SHA512
2062a9f0f94a160685854ee8b803a8be90bfe92a2c8e03a2361885acfc03e1c702827cef1a57b78580cc231ea7eaf3b39d65a2f2056047474d599361c59a61ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Filesize
288KB

MD5
bca8bd3295232a014b3ef6282f49f17a

SHA1
e106d770b0a4fcc97f884efec5eeea687dd5c120

SHA256
9bac3a491f2f78c563c544bf806246e54cbf7a3f0045c0debbe82d2dbd7c116d

SHA512
c7d302a61a3df900fbb0d638d91cbe604cc4e336260360c2b386b49cf55c9eb47031dae346b1e85159522e7dc05c9188531ad34a2eb2ca63f82464c14159b012

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Filesize
288KB

MD5
409dc0bfda329a7a7032a0d93da85374

SHA1
60c84d9295db1b67474f691305613e6694d44396

SHA256
4427da4423851e5ca522347cde0751b882f2323e2869d22d5ca6d8b6911fb59d

SHA512
4761541bb5f6b77873a8e8c264a90c14379c5fe10ef9a68b9162c63224b8549ac20b5fb13acc6aff814cea8153ae166e6ac45cbe298d7015bfe67c2842d67147

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
3772604b6b74432385f54aae66831521

SHA1
a7a0a72086428dc65f35556202210cfc8665f79c

SHA256
268461daa8c6fe76d869b420bab95fb9ccd917a4a1f0b9ddc251c1d66c960123

SHA512
f1e6a35977868b9c022f6435df91c905ca543bcf3f6614eee4ce85f696ea0e10ddca6429cccc5238cea792054db2df8ad25dcc68b0ffad37d86c3196d23ad4c7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92c3111bada18092a858ede167a9e697

SHA1
6bc35a62c41fbf8f716952483025cd1a2e15abd6

SHA256
83e278efe2b04297adb6b1ce72480115cf00a0a93ec322e48448d47cb4f97278

SHA512
2d12dec12b0e7f1bc86822b8b6366988275d1fa1a431d6c8e6ee409dac574e30a00e68a06e2f88cba37c90e04d4279c705f30546c5fea5ad7b214c0d3cceb6c8

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\aac6660541b72842f5e7902b3bd5de3f_JaffaCakes118.exe

Filesize
324KB

MD5
9cf393d974dacc3b73a60d40dfca1b24

SHA1
606f08c5864ff866799a0bb3de8df1e902e86741

SHA256
5e4d0d2d5bf7db516db5b9602fca2e80b443b91640068b2d3c8214a4df5fa0a7

SHA512
fea6762be546cc1bad6b1d94a7f4623f574e417f8b9877dc85aa7a0a61b11b6d13b6251b6b8b1794ef0d6d5981da770637226c52c049c4b32f1b0ec366a26972

Download Submit
memory/308-194-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/316-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/548-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/640-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/692-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/700-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/812-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1040-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1080-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1804-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-46-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1808-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1984-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1984-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2008-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2116-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2144-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-1501-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/2308-1500-0x0000000000420000-0x00000000004B9000-memory.dmp

Filesize
612KB

Download
memory/2316-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2536-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2588-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2624-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2660-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2724-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-1505-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2744-1502-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2796-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2804-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2940-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads