neshta | c3db870e54e663cfa26aa9432ddedc0505bdb4dacf7b738a1cdaf573d0809332

Analysis

max time kernel
94s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
Size

178KB
MD5

fb4c7497a06e7cf518b8ca3cc7b3f226
SHA1

ef815a9449f7bd26fd557037c8c748314d3912ad
SHA256

c3db870e54e663cfa26aa9432ddedc0505bdb4dacf7b738a1cdaf573d0809332
SHA512

0497334246d34552d9ff258b8d1fe7a855ec72b67305551d99fb5da54161e0cc5c7b2179ce39c6f05d606f17ebd7a2047d852bd119a0534f690415c5cd4c9d28
SSDEEP

3072:sr85Ck7W1IkEoFR7u1EzH2n5rSsCqmWkRdsIMRk/ICxa5omST47r85C:k9ZuzPnt9

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb3-4.dat	family_neshta
behavioral2/files/0x0007000000023cb4-10.dat	family_neshta
behavioral2/memory/4776-18-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1160-22-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2388-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5028-34-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1704-42-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1552-46-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2788-54-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2768-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3088-66-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3296-70-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020237-85.dat	family_neshta
behavioral2/files/0x00010000000202cc-95.dat	family_neshta
behavioral2/files/0x000400000002035b-94.dat	family_neshta
behavioral2/files/0x00010000000202b9-93.dat	family_neshta
behavioral2/memory/4388-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3368-104-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1656-112-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1716-123-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/736-130-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3784-146-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022f52-158.dat	family_neshta
behavioral2/files/0x0001000000022f56-157.dat	family_neshta
behavioral2/files/0x000100000001680a-169.dat	family_neshta
behavioral2/files/0x000100000001dbb9-182.dat	family_neshta
behavioral2/files/0x0001000000016923-190.dat	family_neshta
behavioral2/files/0x0001000000016921-194.dat	family_neshta
behavioral2/files/0x0001000000022e91-196.dat	family_neshta
behavioral2/files/0x000100000001691e-193.dat	family_neshta
behavioral2/files/0x0001000000022f95-166.dat	family_neshta
behavioral2/files/0x0002000000000729-201.dat	family_neshta
behavioral2/files/0x0001000000021501-145.dat	family_neshta
behavioral2/files/0x0001000000021500-143.dat	family_neshta
behavioral2/files/0x00010000000214ff-141.dat	family_neshta
behavioral2/files/0x000400000001e5ff-204.dat	family_neshta
behavioral2/memory/4692-225-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000b00000001ee2c-230.dat	family_neshta
behavioral2/files/0x000e00000001f3ea-224.dat	family_neshta
behavioral2/files/0x000400000001e6c4-222.dat	family_neshta
behavioral2/memory/1140-206-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3708-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1404-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2644-244-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4564-251-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4408-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4568-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5016-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1532-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1752-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1648-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2520-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4288-282-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1836-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/940-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3056-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1988-304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3300-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4024-312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5032-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2040-320-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3416-322-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3368-328-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FB4C74~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
3052	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
4776	svchost.com
1160	FB4C74~1.EXE
2388	svchost.com
5028	FB4C74~1.EXE
1704	svchost.com
1552	FB4C74~1.EXE
2788	svchost.com
2768	FB4C74~1.EXE
3088	svchost.com
3296	FB4C74~1.EXE
4388	svchost.com
3368	FB4C74~1.EXE
1656	svchost.com
1716	FB4C74~1.EXE
736	svchost.com
3784	FB4C74~1.EXE
1140	svchost.com
4692	FB4C74~1.EXE
3708	svchost.com
1404	FB4C74~1.EXE
2644	svchost.com
4564	FB4C74~1.EXE
4408	svchost.com
4568	FB4C74~1.EXE
5016	svchost.com
1532	FB4C74~1.EXE
1752	svchost.com
1648	FB4C74~1.EXE
2520	svchost.com
4288	FB4C74~1.EXE
1836	svchost.com
940	FB4C74~1.EXE
3032	svchost.com
3056	FB4C74~1.EXE
1988	svchost.com
3300	FB4C74~1.EXE
4024	svchost.com
5032	FB4C74~1.EXE
2040	svchost.com
3416	FB4C74~1.EXE
3368	svchost.com
4632	FB4C74~1.EXE
3972	svchost.com
2884	FB4C74~1.EXE
3928	svchost.com
2064	FB4C74~1.EXE
2708	svchost.com
4580	FB4C74~1.EXE
3604	svchost.com
3716	FB4C74~1.EXE
3540	svchost.com
1140	FB4C74~1.EXE
1760	svchost.com
1368	FB4C74~1.EXE
1340	svchost.com
2608	FB4C74~1.EXE
4840	svchost.com
2532	FB4C74~1.EXE
3424	svchost.com
2360	FB4C74~1.EXE
1044	svchost.com
4004	FB4C74~1.EXE
4644	svchost.com

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	FB4C74~1.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	FB4C74~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FB4C74~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB4C74~1.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB4C74~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3128	dw20.exe
Token: SeBackupPrivilege	3128	dw20.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 3052	3180	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	82
PID 3180 wrote to memory of 3052	3180	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	82
PID 3180 wrote to memory of 3052	3180	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	82
PID 3052 wrote to memory of 4776	3052	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	83
PID 3052 wrote to memory of 4776	3052	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	83
PID 3052 wrote to memory of 4776	3052	fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe	83
PID 4776 wrote to memory of 1160	4776	svchost.com	84
PID 4776 wrote to memory of 1160	4776	svchost.com	84
PID 4776 wrote to memory of 1160	4776	svchost.com	84
PID 1160 wrote to memory of 2388	1160	FB4C74~1.EXE	85
PID 1160 wrote to memory of 2388	1160	FB4C74~1.EXE	85
PID 1160 wrote to memory of 2388	1160	FB4C74~1.EXE	85
PID 2388 wrote to memory of 5028	2388	svchost.com	86
PID 2388 wrote to memory of 5028	2388	svchost.com	86
PID 2388 wrote to memory of 5028	2388	svchost.com	86
PID 5028 wrote to memory of 1704	5028	FB4C74~1.EXE	87
PID 5028 wrote to memory of 1704	5028	FB4C74~1.EXE	87
PID 5028 wrote to memory of 1704	5028	FB4C74~1.EXE	87
PID 1704 wrote to memory of 1552	1704	svchost.com	88
PID 1704 wrote to memory of 1552	1704	svchost.com	88
PID 1704 wrote to memory of 1552	1704	svchost.com	88
PID 1552 wrote to memory of 2788	1552	FB4C74~1.EXE	89
PID 1552 wrote to memory of 2788	1552	FB4C74~1.EXE	89
PID 1552 wrote to memory of 2788	1552	FB4C74~1.EXE	89
PID 2788 wrote to memory of 2768	2788	svchost.com	90
PID 2788 wrote to memory of 2768	2788	svchost.com	90
PID 2788 wrote to memory of 2768	2788	svchost.com	90
PID 2768 wrote to memory of 3088	2768	FB4C74~1.EXE	91
PID 2768 wrote to memory of 3088	2768	FB4C74~1.EXE	91
PID 2768 wrote to memory of 3088	2768	FB4C74~1.EXE	91
PID 3088 wrote to memory of 3296	3088	svchost.com	92
PID 3088 wrote to memory of 3296	3088	svchost.com	92
PID 3088 wrote to memory of 3296	3088	svchost.com	92
PID 3296 wrote to memory of 4388	3296	FB4C74~1.EXE	93
PID 3296 wrote to memory of 4388	3296	FB4C74~1.EXE	93
PID 3296 wrote to memory of 4388	3296	FB4C74~1.EXE	93
PID 4388 wrote to memory of 3368	4388	svchost.com	123
PID 4388 wrote to memory of 3368	4388	svchost.com	123
PID 4388 wrote to memory of 3368	4388	svchost.com	123
PID 3368 wrote to memory of 1656	3368	FB4C74~1.EXE	95
PID 3368 wrote to memory of 1656	3368	FB4C74~1.EXE	95
PID 3368 wrote to memory of 1656	3368	FB4C74~1.EXE	95
PID 1656 wrote to memory of 1716	1656	svchost.com	167
PID 1656 wrote to memory of 1716	1656	svchost.com	167
PID 1656 wrote to memory of 1716	1656	svchost.com	167
PID 1716 wrote to memory of 736	1716	FB4C74~1.EXE	97
PID 1716 wrote to memory of 736	1716	FB4C74~1.EXE	97
PID 1716 wrote to memory of 736	1716	FB4C74~1.EXE	97
PID 736 wrote to memory of 3784	736	svchost.com	98
PID 736 wrote to memory of 3784	736	svchost.com	98
PID 736 wrote to memory of 3784	736	svchost.com	98
PID 3784 wrote to memory of 1140	3784	FB4C74~1.EXE	134
PID 3784 wrote to memory of 1140	3784	FB4C74~1.EXE	134
PID 3784 wrote to memory of 1140	3784	FB4C74~1.EXE	134
PID 1140 wrote to memory of 4692	1140	svchost.com	100
PID 1140 wrote to memory of 4692	1140	svchost.com	100
PID 1140 wrote to memory of 4692	1140	svchost.com	100
PID 4692 wrote to memory of 3708	4692	FB4C74~1.EXE	101
PID 4692 wrote to memory of 3708	4692	FB4C74~1.EXE	101
PID 4692 wrote to memory of 3708	4692	FB4C74~1.EXE	101
PID 3708 wrote to memory of 1404	3708	svchost.com	102
PID 3708 wrote to memory of 1404	3708	svchost.com	102
PID 3708 wrote to memory of 1404	3708	svchost.com	102
PID 1404 wrote to memory of 2644	1404	FB4C74~1.EXE	103

C:\Users\Admin\AppData\Local\Temp\fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\3582-490\fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        66⤵
        
        PID:4444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        67⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        68⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        69⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        71⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        72⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        73⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        74⤵
        Checks computer location settings
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        76⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        77⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        78⤵
        
        PID:4732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        79⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        80⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        81⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        82⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        83⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        84⤵
        Checks computer location settings
        Modifies system executable filetype association
        Drops file in Program Files directory
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        86⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        87⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        88⤵
        Modifies registry class
        
        PID:3972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        90⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        91⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        92⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        93⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        94⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        96⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        98⤵
        
        PID:4120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        99⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        100⤵
        Checks computer location settings
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        101⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        102⤵
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        103⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        104⤵
        Modifies registry class
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        105⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        106⤵
        Checks computer location settings
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        108⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        109⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        110⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        111⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        112⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        113⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        116⤵
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        117⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        118⤵
        Checks computer location settings
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        119⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        120⤵
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        121⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        122⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        123⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        124⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        125⤵
        Drops file in Windows directory
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        126⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        127⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        128⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        129⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        130⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        131⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        132⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        134⤵
        Checks computer location settings
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        135⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        136⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        137⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        138⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        139⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        140⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        141⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        143⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        144⤵
        Modifies registry class
        
        PID:4672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        145⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        146⤵
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        147⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        148⤵
        
        PID:3196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        149⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        150⤵
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        151⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        152⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        154⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        155⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        156⤵
        Modifies registry class
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        158⤵
        
        PID:336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        159⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        160⤵
        Modifies registry class
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        161⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        163⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        164⤵
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        165⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        166⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        168⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        169⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        170⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        172⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        173⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        174⤵
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        175⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        176⤵
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        178⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        180⤵
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        181⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        182⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        184⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        186⤵
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        187⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        188⤵
        Drops file in Windows directory
        
        PID:3392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        189⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        190⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        191⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        192⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        194⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        195⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        196⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        197⤵
        Drops file in Windows directory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        198⤵
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        199⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        200⤵
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        201⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        202⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        203⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        205⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        206⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        207⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        208⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        209⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        210⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        211⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        212⤵
        Modifies registry class
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        213⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        214⤵
        Checks computer location settings
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        215⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        216⤵
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        217⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        218⤵
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        219⤵
        Drops file in Windows directory
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        220⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        221⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        222⤵
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        223⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        224⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        225⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        226⤵
        Modifies registry class
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        227⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        228⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        229⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        230⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        231⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        232⤵
        
        PID:748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        233⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        234⤵
        Checks computer location settings
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        235⤵
        Drops file in Windows directory
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        236⤵
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        237⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        238⤵
        Checks computer location settings
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        239⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        240⤵
        Drops file in Windows directory
        
        PID:3516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        241⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        242⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        244⤵
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        245⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        246⤵
        Modifies registry class
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        247⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        249⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        251⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        252⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        254⤵
        Modifies registry class
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        255⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        256⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        257⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        260⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        261⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        262⤵
        Checks computer location settings
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        263⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        264⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        265⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        266⤵
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        267⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        268⤵
        Modifies registry class
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        270⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        271⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        272⤵
        Checks computer location settings
        
        PID:4328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        273⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        274⤵
        Checks computer location settings
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        275⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        276⤵
        Checks computer location settings
        
        PID:1288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        277⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        278⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        279⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        280⤵
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        282⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        283⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        284⤵
        Modifies registry class
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        285⤵
        Drops file in Windows directory
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        286⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        287⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        288⤵
        Checks computer location settings
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        289⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        290⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        291⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        292⤵
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        293⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        294⤵
        Checks computer location settings
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        296⤵
        
        PID:4584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        297⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        298⤵
        Modifies registry class
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        299⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        300⤵
        
        PID:1880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        301⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        302⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        303⤵
        Drops file in Windows directory
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        304⤵
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        305⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        306⤵
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        307⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        308⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        309⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        310⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        312⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        313⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        314⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        315⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        316⤵
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        317⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        318⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        319⤵
        Drops file in Windows directory
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        320⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        321⤵
        Drops file in Windows directory
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        322⤵
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        323⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        326⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        327⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        328⤵
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        332⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        335⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        336⤵
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        337⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        338⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        339⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        340⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        341⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        343⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        344⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        346⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        347⤵
        Drops file in Windows directory
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        348⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        349⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        350⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        351⤵
        Drops file in Windows directory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        352⤵
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        354⤵
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        355⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        356⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        357⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        358⤵
        Modifies registry class
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        359⤵
        Drops file in Windows directory
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        360⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        361⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        362⤵
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        363⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        364⤵
        Modifies registry class
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        365⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        366⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        367⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        368⤵
        Drops file in Windows directory
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        369⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        370⤵
        Modifies registry class
        
        PID:1880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        371⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        372⤵
        
        PID:4736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        373⤵
        Drops file in Windows directory
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        374⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        375⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        376⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        377⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        378⤵
        Checks computer location settings
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        379⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        380⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        381⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        382⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        383⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        384⤵
        Drops file in Windows directory
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        385⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        386⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        387⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        389⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        390⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        391⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        392⤵
        Checks computer location settings
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        393⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        394⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        395⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        396⤵
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        397⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        398⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        399⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        400⤵
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        401⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        402⤵
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        403⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        404⤵
        
        PID:3396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        405⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        406⤵
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        407⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        408⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        409⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        410⤵
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        411⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        412⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        413⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        414⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        415⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        416⤵
        
        PID:3492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        417⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        418⤵
        Checks computer location settings
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        419⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        420⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        421⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        422⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        423⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        424⤵
        Drops file in Windows directory
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        425⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        426⤵
        Checks computer location settings
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        427⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        428⤵
        
        PID:3224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        430⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        431⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        432⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        433⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        434⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        435⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        436⤵
        Modifies registry class
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        437⤵
        Drops file in Windows directory
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        438⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        439⤵
        Drops file in Windows directory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        440⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        441⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        442⤵
        Modifies registry class
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        443⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        444⤵
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        445⤵
        Drops file in Windows directory
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        446⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        447⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        448⤵
        
        PID:3424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        449⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        450⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        451⤵
        Drops file in Windows directory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        452⤵
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        453⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        454⤵
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        455⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        456⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        457⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        458⤵
        Checks computer location settings
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        459⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        460⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        461⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        462⤵
        Drops file in Windows directory
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        463⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        464⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        465⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        467⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        468⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        469⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        470⤵
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        471⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        472⤵
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        473⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        474⤵
        Checks computer location settings
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        475⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        476⤵
        Drops file in Windows directory
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        477⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        478⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        479⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        480⤵
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        481⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        482⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        483⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        484⤵
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        485⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        486⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        487⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        488⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        489⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        490⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE"
        491⤵
        Drops file in Windows directory
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FB4C74~1.EXE
        492⤵
        
        PID:4740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1448
        493⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
10748253009c18f4695b7043dcf36fdc

SHA1
22d24c7b4cd0b280f09a76534545cfdc1d66a256

SHA256
3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1

SHA512
477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
1e09e65111ab34cb84f7855d3cddc680

SHA1
f9f852104b46d99cc7f57a6f40d5db2090be04c0

SHA256
8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c

SHA512
003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
da18586b25e72ff40c0f24da690a2edc

SHA1
27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5

SHA256
67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e

SHA512
3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
23b1708cd5e7409832fe36f125844e7a

SHA1
39ec7d4322cf4ccea82ee65343d05459c5eb3f3e

SHA256
03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f

SHA512
d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
7ec5ddf3fcc6796ca4e49ba4b3cf196a

SHA1
0f5d6a04f70f466b3cbe1750d9be78da80579e07

SHA256
f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8

SHA512
f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
bcb5db16e576464d3d8d93e1907bf946

SHA1
b10f3c3dc4baef4655ae2c30543be9d3c40b9781

SHA256
24c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0

SHA512
c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229

Download Submit
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fb4c7497a06e7cf518b8ca3cc7b3f226_JaffaCakes118.exe

Filesize
137KB

MD5
77ca00dc73da4f314c5c05b23b2e6ad5

SHA1
a0aeca7c468d41ef0f4c651b42424329ed978866

SHA256
b5f9b7aaf9bab0ab4a416e8ce10d3c403afc6dfb9e6339bbc0e8c767bce1830c

SHA512
9528e0bd027185ce000b53ce17815ac59bc5bd9aea9e0000126ede3a70e580fd91d0b669cc9d23e42bdf1ca6294ae9ee3c9d6f8984140f0f97c6cd47e6e7365d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
3da37955d96e3c27bd3ce37429b8db1c

SHA1
15f3bc9280ae95f9e1a608d25b8c575e7bb797e3

SHA256
83fc8d51cae6c8c133198337bdae8e81d075e6c55fca70bc7777ca7d2000cc65

SHA512
99bced7a8c6eee12b60d589bcb7485ae164cc6236ce91025286093d95bc0bf99bfe621aaefffa569149b24a64923462bddaad01adecfa7612778ee4e188c7f39

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
5d98fb86eea77df163bb49575b43dcba

SHA1
f809f0df8990ee0f700b8c028b73aed1eb5226fc

SHA256
608d7d9add490e127f79a2e5d5b1c30852bb3935253fac580e00f186dc9b62f2

SHA512
ca906fcea63023ea046233bab90138c314ad8ca8e3c8f01f035cd0fab3d44c6b644440e6315a418f910e1fd4c6c2cdf366e92e5fd3dd22c2412d6a654b9fb96d

Download Submit
memory/736-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/940-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1044-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-206-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1160-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1404-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1552-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1656-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1716-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1760-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2388-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2532-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3088-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3296-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3300-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3368-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3368-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3416-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3540-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3604-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3708-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3928-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4024-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4288-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4388-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4408-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4568-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4644-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4692-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4740-2063-0x000000001C3F0000-0x000000001C8BE000-memory.dmp

Filesize
4.8MB

Download
memory/4740-2064-0x000000001C8C0000-0x000000001C95C000-memory.dmp

Filesize
624KB

Download
memory/4776-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4840-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5016-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5032-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads