neshta | dd2f8520c6310d02a3a40bffc1a718bb2498094ec86f4d9c5bbdba258d9625b9

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
Size

286KB
MD5

0b1023e3a9281eb691bb3b1019fbaa12
SHA1

4694dc893d19f0138937a48418b9d35eb70718ad
SHA256

dd2f8520c6310d02a3a40bffc1a718bb2498094ec86f4d9c5bbdba258d9625b9
SHA512

b9a5872c1ed4e7f3671a129c9c0ae994e796b637d7149964750a37c1078c883971b2a40ea0dba0dcbf184a83a4711162f87480a87a17f4044df5db856fb61bf7
SSDEEP

6144:PuiuiuonhTZ976anhTZ976HEg5EYmEHhXEg5EYmEHhr:1tn76atn76HrughXrughr

Score

10^/10

neshta defense_evasion discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	JAFFAC~1.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	JAFFAC~1.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2252	svchost.com
2836	JAFFAC~1.EXE
2868	svchost.com
2532	JAFFAC~1.EXE
2608	svchost.com
3020	JAFFAC~1.EXE
1744	svchost.com
1840	JAFFAC~1.EXE
2800	svchost.com
1792	JAFFAC~1.EXE
1680	svchost.com
884	JAFFAC~1.EXE
484	svchost.com
1916	JAFFAC~1.EXE
2988	svchost.com
2052	JAFFAC~1.EXE
1076	svchost.com
1092	JAFFAC~1.EXE
1584	svchost.com
1308	JAFFAC~1.EXE
2980	svchost.com
2032	JAFFAC~1.EXE
2512	svchost.com
2468	JAFFAC~1.EXE
2432	svchost.com
2904	JAFFAC~1.EXE
1796	svchost.com
1340	JAFFAC~1.EXE
1556	svchost.com
2796	JAFFAC~1.EXE
2276	svchost.com
2696	JAFFAC~1.EXE
2832	svchost.com
2592	JAFFAC~1.EXE
2568	svchost.com
3004	JAFFAC~1.EXE
1968	svchost.com
2620	JAFFAC~1.EXE
1476	svchost.com
1940	JAFFAC~1.EXE
1400	svchost.com
1948	JAFFAC~1.EXE
1396	svchost.com
1664	JAFFAC~1.EXE
2776	svchost.com
1232	JAFFAC~1.EXE
848	svchost.com
2632	JAFFAC~1.EXE
1916	svchost.com
2244	JAFFAC~1.EXE
2160	svchost.com
2180	JAFFAC~1.EXE
2520	svchost.com
836	JAFFAC~1.EXE
328	svchost.com
1924	JAFFAC~1.EXE
1980	svchost.com
1584	JAFFAC~1.EXE
1308	svchost.com
1524	JAFFAC~1.EXE
2388	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
2252	svchost.com
2252	svchost.com
2868	svchost.com
2868	svchost.com
2608	svchost.com
2608	svchost.com
1744	svchost.com
1744	svchost.com
2800	svchost.com
2800	svchost.com
1680	svchost.com
1680	svchost.com
484	svchost.com
484	svchost.com
2988	svchost.com
2988	svchost.com
1076	svchost.com
1076	svchost.com
2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
1584	svchost.com
1584	svchost.com
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2980	svchost.com
2980	svchost.com
2512	svchost.com
2512	svchost.com
2432	svchost.com
2432	svchost.com
1796	svchost.com
1796	svchost.com
1556	svchost.com
1556	svchost.com
2276	svchost.com
2276	svchost.com
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
2832	svchost.com
2832	svchost.com
2568	svchost.com
2568	svchost.com
1968	svchost.com
1968	svchost.com
1476	svchost.com
1476	svchost.com
2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
1400	svchost.com
1400	svchost.com
1396	svchost.com
1396	svchost.com
2776	svchost.com
2776	svchost.com
848	svchost.com
848	svchost.com
1916	svchost.com
1916	svchost.com
2160	svchost.com
2160	svchost.com
2520	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\Windows\\Cursors\\services.exe"	JAFFAC~1.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	JAFFAC~1.exe
File opened (read-only)	\??\G:	JAFFAC~1.exe
File opened (read-only)	\??\J:	JAFFAC~1.exe
File opened (read-only)	\??\K:	JAFFAC~1.exe
File opened (read-only)	\??\R:	JAFFAC~1.exe
File opened (read-only)	\??\S:	JAFFAC~1.exe
File opened (read-only)	\??\T:	JAFFAC~1.exe
File opened (read-only)	\??\U:	JAFFAC~1.exe
File opened (read-only)	\??\W:	JAFFAC~1.exe
File opened (read-only)	\??\A:	JAFFAC~1.exe
File opened (read-only)	\??\B:	JAFFAC~1.exe
File opened (read-only)	\??\X:	JAFFAC~1.exe
File opened (read-only)	\??\Y:	JAFFAC~1.exe
File opened (read-only)	\??\E:	JAFFAC~1.exe
File opened (read-only)	\??\N:	JAFFAC~1.exe
File opened (read-only)	\??\O:	JAFFAC~1.exe
File opened (read-only)	\??\P:	JAFFAC~1.exe
File opened (read-only)	\??\Q:	JAFFAC~1.exe
File opened (read-only)	\??\H:	JAFFAC~1.exe
File opened (read-only)	\??\I:	JAFFAC~1.exe
File opened (read-only)	\??\L:	JAFFAC~1.exe
File opened (read-only)	\??\M:	JAFFAC~1.exe
File opened (read-only)	\??\Z:	JAFFAC~1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-2159-0x0000000000220000-0x0000000000248000-memory.dmp	upx
behavioral1/files/0x000b000000015d88-2161.dat	upx
behavioral1/memory/2916-2166-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2916-2185-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\Program Files\Program Files.exe	JAFFAC~1.exe
File created	C:\Program Files (x86)\Program Files (x86).exe	JAFFAC~1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\Program Files (x86)\Program Files (x86).exe	JAFFAC~1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359ad291100557365727300600008000400efbeee3a851a2359ad292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000002359e82a10204c6f63616c00380008000400efbe2359ad292359e82a2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000365ae431102054656d700000360008000400efbe2359ad29365ae4312a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359ad29122041707044617461003c0008000400efbe2359ad292359ad292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000002359122d100041646d696e00380008000400efbe2359ad292359122d2a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	poserv.exe
Token: SeSecurityPrivilege	2132	poserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2456	2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	31
PID 2080 wrote to memory of 2456	2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	31
PID 2080 wrote to memory of 2456	2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	31
PID 2080 wrote to memory of 2456	2080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	31
PID 2456 wrote to memory of 2088	2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	32
PID 2456 wrote to memory of 2088	2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	32
PID 2456 wrote to memory of 2088	2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	32
PID 2456 wrote to memory of 2088	2456	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	32
PID 2088 wrote to memory of 2804	2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	33
PID 2088 wrote to memory of 2804	2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	33
PID 2088 wrote to memory of 2804	2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	33
PID 2088 wrote to memory of 2804	2088	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	33
PID 2804 wrote to memory of 2252	2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	34
PID 2804 wrote to memory of 2252	2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	34
PID 2804 wrote to memory of 2252	2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	34
PID 2804 wrote to memory of 2252	2804	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	34
PID 2252 wrote to memory of 2836	2252	svchost.com	35
PID 2252 wrote to memory of 2836	2252	svchost.com	35
PID 2252 wrote to memory of 2836	2252	svchost.com	35
PID 2252 wrote to memory of 2836	2252	svchost.com	35
PID 2836 wrote to memory of 2868	2836	JAFFAC~1.EXE	36
PID 2836 wrote to memory of 2868	2836	JAFFAC~1.EXE	36
PID 2836 wrote to memory of 2868	2836	JAFFAC~1.EXE	36
PID 2836 wrote to memory of 2868	2836	JAFFAC~1.EXE	36
PID 2868 wrote to memory of 2532	2868	svchost.com	37
PID 2868 wrote to memory of 2532	2868	svchost.com	37
PID 2868 wrote to memory of 2532	2868	svchost.com	37
PID 2868 wrote to memory of 2532	2868	svchost.com	37
PID 2532 wrote to memory of 2608	2532	JAFFAC~1.EXE	38
PID 2532 wrote to memory of 2608	2532	JAFFAC~1.EXE	38
PID 2532 wrote to memory of 2608	2532	JAFFAC~1.EXE	38
PID 2532 wrote to memory of 2608	2532	JAFFAC~1.EXE	38
PID 2608 wrote to memory of 3020	2608	svchost.com	39
PID 2608 wrote to memory of 3020	2608	svchost.com	39
PID 2608 wrote to memory of 3020	2608	svchost.com	39
PID 2608 wrote to memory of 3020	2608	svchost.com	39
PID 3020 wrote to memory of 1744	3020	JAFFAC~1.EXE	40
PID 3020 wrote to memory of 1744	3020	JAFFAC~1.EXE	40
PID 3020 wrote to memory of 1744	3020	JAFFAC~1.EXE	40
PID 3020 wrote to memory of 1744	3020	JAFFAC~1.EXE	40
PID 1744 wrote to memory of 1840	1744	svchost.com	41
PID 1744 wrote to memory of 1840	1744	svchost.com	41
PID 1744 wrote to memory of 1840	1744	svchost.com	41
PID 1744 wrote to memory of 1840	1744	svchost.com	41
PID 1840 wrote to memory of 2800	1840	JAFFAC~1.EXE	42
PID 1840 wrote to memory of 2800	1840	JAFFAC~1.EXE	42
PID 1840 wrote to memory of 2800	1840	JAFFAC~1.EXE	42
PID 1840 wrote to memory of 2800	1840	JAFFAC~1.EXE	42
PID 2800 wrote to memory of 1792	2800	svchost.com	43
PID 2800 wrote to memory of 1792	2800	svchost.com	43
PID 2800 wrote to memory of 1792	2800	svchost.com	43
PID 2800 wrote to memory of 1792	2800	svchost.com	43
PID 1792 wrote to memory of 1680	1792	JAFFAC~1.EXE	126
PID 1792 wrote to memory of 1680	1792	JAFFAC~1.EXE	126
PID 1792 wrote to memory of 1680	1792	JAFFAC~1.EXE	126
PID 1792 wrote to memory of 1680	1792	JAFFAC~1.EXE	126
PID 1680 wrote to memory of 884	1680	svchost.com	45
PID 1680 wrote to memory of 884	1680	svchost.com	45
PID 1680 wrote to memory of 884	1680	svchost.com	45
PID 1680 wrote to memory of 884	1680	svchost.com	45
PID 884 wrote to memory of 484	884	JAFFAC~1.EXE	129
PID 884 wrote to memory of 484	884	JAFFAC~1.EXE	129
PID 884 wrote to memory of 484	884	JAFFAC~1.EXE	129
PID 884 wrote to memory of 484	884	JAFFAC~1.EXE	129

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
    "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        66⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        67⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        68⤵
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        69⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        70⤵
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        71⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        73⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        74⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        75⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        76⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        77⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        78⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        79⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        80⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        81⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        82⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        83⤵
        Drops file in Windows directory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        84⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        85⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        86⤵
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        87⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        88⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        89⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        90⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        92⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        94⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        98⤵
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        99⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        100⤵
        
        PID:484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        102⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        104⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        105⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        106⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        107⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        108⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        110⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        111⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        113⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        115⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        116⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        118⤵
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        119⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        120⤵
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        121⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        122⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        123⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        124⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        125⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        126⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        127⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        128⤵
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        129⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        130⤵
        Drops file in Windows directory
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        131⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        133⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        134⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        135⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        136⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        138⤵
        Drops file in Windows directory
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        140⤵
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        141⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        142⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        144⤵
        
        PID:1288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        145⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        146⤵
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        147⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        148⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        149⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        150⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        151⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        152⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        153⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        154⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        155⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        156⤵
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        157⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        158⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        159⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        160⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        161⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        162⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        163⤵
        Drops file in Windows directory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        164⤵
        Drops file in Windows directory
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        165⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        166⤵
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        168⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        169⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        170⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        172⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        173⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        174⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        175⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        176⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        178⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        179⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        181⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        183⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        184⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        185⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        186⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        187⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        188⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        189⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        190⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        191⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        192⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        193⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        194⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        195⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        196⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        197⤵
        Drops file in Windows directory
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        198⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        199⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        200⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        201⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        202⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        205⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        206⤵
        
        PID:960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        207⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        208⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        209⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        210⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        211⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        212⤵
        Drops file in Windows directory
        
        PID:1800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        213⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        214⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        215⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        217⤵
        Drops file in Windows directory
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        218⤵
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        219⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        220⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        222⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        223⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        224⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        225⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        226⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        227⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        228⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        229⤵
        Drops file in Windows directory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        230⤵
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        234⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        235⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        238⤵
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        239⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        240⤵
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        242⤵
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        243⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        244⤵
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        245⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        246⤵
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        247⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        248⤵
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        249⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        250⤵
        
        PID:676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        252⤵
        Drops file in Windows directory
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        255⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        256⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        257⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        258⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        259⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        260⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        261⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        262⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        263⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        265⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        267⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        268⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        269⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        270⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        271⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        272⤵
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        273⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        274⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        276⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        277⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        278⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        279⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        281⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        282⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        283⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        284⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        285⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        286⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        288⤵
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        289⤵
        Drops file in Windows directory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        290⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        291⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        296⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        297⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        298⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        299⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        300⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        301⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        302⤵
        
        PID:960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        303⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        304⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        305⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        306⤵
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        307⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        308⤵
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        309⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        310⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        311⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        312⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        313⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        314⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        315⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        316⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        317⤵
        Drops file in Windows directory
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        318⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        321⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        323⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        324⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        325⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        326⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        327⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        328⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        329⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        330⤵
        Drops file in Windows directory
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        331⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        332⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        333⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        334⤵
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        336⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        337⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        338⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        339⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        340⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        341⤵
        Drops file in Windows directory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        342⤵
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        343⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        345⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        347⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        348⤵
        Drops file in Windows directory
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        349⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        350⤵
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        351⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        352⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        353⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        354⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        355⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        356⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        357⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        358⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        360⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        361⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        362⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        363⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        364⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        367⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        368⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        369⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        370⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        371⤵
        Drops file in Windows directory
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        372⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        374⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        375⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        376⤵
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        377⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        378⤵
        Drops file in Windows directory
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        379⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        380⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        381⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        383⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        384⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        385⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        386⤵
        
        PID:1196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        387⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        388⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        389⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        390⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        391⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        392⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        393⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        394⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        395⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        396⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        397⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        398⤵
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        399⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        400⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        401⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        402⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        403⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        404⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        405⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        406⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        407⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        408⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        409⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        410⤵
        Drops file in Windows directory
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        411⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        412⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        413⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        414⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        415⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        416⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        417⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        418⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        419⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        420⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        421⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        422⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        423⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        424⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        425⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        426⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        427⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        428⤵
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        429⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        430⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        431⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        432⤵
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        433⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        434⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        435⤵
        Drops file in Windows directory
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        436⤵
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        437⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        438⤵
        
        PID:328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        439⤵
        Drops file in Windows directory
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        440⤵
        
        PID:676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        441⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        442⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        443⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        444⤵
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        445⤵
        Drops file in Windows directory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        446⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        447⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        448⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        449⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        450⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        451⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        452⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        453⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        454⤵
        
        PID:2240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        455⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        456⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        457⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        458⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        459⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        460⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        461⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        462⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        463⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        464⤵
        Drops file in Windows directory
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        465⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        467⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        468⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        469⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        470⤵
        Drops file in Windows directory
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        471⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        472⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        473⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        474⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        475⤵
        Drops file in Windows directory
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        476⤵
        
        PID:292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        477⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        478⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        479⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        480⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        481⤵
        Drops file in Windows directory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        482⤵
        Drops file in Windows directory
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        483⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        484⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        485⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        486⤵
        Drops file in Windows directory
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        487⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        488⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        490⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        491⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        492⤵
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        493⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        494⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.rnt
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.rnt"
        495⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        496⤵
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        497⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        498⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        Enumerates connected drives
        Drops file in Program Files directory
        
        PID:2916
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\3582-490\..
        499⤵
        
        PID:2260

C:\Windows\poserv.exe
"C:\Windows\poserv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
2142b0fff4fbaaaa52bb901730f4b58c

SHA1
8c139ed4e04bb6413200716f0567bf76262e3051

SHA256
da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54

SHA512
f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE

Filesize
92KB

MD5
7702c9a63b91fb47fc5876d1333593a2

SHA1
e41817b7887c5872ddcba29087301d72f35b3007

SHA256
0fc6f89ddd950a26e946273cf27ab2dfd087d0fd393b5f3d55327b7e116a2c6d

SHA512
086ce917b4168012dbf108cdbacfac65b1f953f0dcc038f2ca4edc550ad29f9f91af0bd68cccd7f251048f2d20b616e5a8363a0d082306fd1cf343272aee083c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
d00231277f818c7c8935a9a5d6a5b8e3

SHA1
d883f120b0a14328e11b9028cffe4cea3dd70dc0

SHA256
0d0094ea9f36f6093e06011b4bff3a72b6f71c0381d3d8308258dcd8a7f53672

SHA512
41eb2facce332aad49b3c8dd635d8428ccaebb489e7ca81cb8348eeb736b77ed3fdca2923e7e56a9b35d89a3fd4f0945be58376093afb9890e77572f2df7418a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Filesize
245KB

MD5
b3e01a4c77b5471657416d5fb1ce7c9e

SHA1
e82a7f29de5f83b05241e8bfeeb31a48ebff0875

SHA256
816cc4f268d4d2ae61874525362e1138c3efaf49a506dd943712c3491bdff886

SHA512
13dec453d8b89162e72836db38a1be8de57cb887dcb2150059be2105a1f9b307458f229f04daea37c1ab0aaac84c0b758f674182cdcd37b1be6f070a35867deb

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Filesize
209KB

MD5
58b633dc955586be0c8e9413914a49b9

SHA1
f2d0c3e6a39ad44bec47dc7c66d28b80a9ea493b

SHA256
e0a935464e28af46f42038124735cf6ebb34f7ea0d9c6d2ee76237b30d2fec94

SHA512
3d1ddac7a3d2fc0f43148b173ab98fa7a8d842b518598f5cede0a01cf7b8ccc1ac29c908255737a5e8be3db65e636206c52ec01ad2e92d6e169f71891067aeb7

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt

Filesize
36KB

MD5
8d3681e6e36b3e6ef45d0c18c35b8d96

SHA1
00821442e7005583e800c5b312bad093079c7360

SHA256
7cfc15487f39d3c25854255e917f8562be646d3a2ae6db4a62b09af37607e3ff

SHA512
5bb4cde099ca67aa26499e1a1f060ac4fead61587e241a4778c3d4b42aeb61215d7692dd511ad4069c2a4ce7f601012c62a244b2e4cf2a23194e66ac6ee288ed

Download Submit
memory/328-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/484-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/740-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/836-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/848-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1076-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1232-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1396-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1400-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1556-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1584-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1584-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1916-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1916-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1932-429-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2052-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-2159-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2244-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2388-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2432-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2532-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2620-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2776-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2800-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2832-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2916-2185-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-2166-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2980-420-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads