neshta | dd2f8520c6310d02a3a40bffc1a718bb2498094ec86f4d9c5bbdba258d9625b9

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
Size

286KB
MD5

0b1023e3a9281eb691bb3b1019fbaa12
SHA1

4694dc893d19f0138937a48418b9d35eb70718ad
SHA256

dd2f8520c6310d02a3a40bffc1a718bb2498094ec86f4d9c5bbdba258d9625b9
SHA512

b9a5872c1ed4e7f3671a129c9c0ae994e796b637d7149964750a37c1078c883971b2a40ea0dba0dcbf184a83a4711162f87480a87a17f4044df5db856fb61bf7
SSDEEP

6144:PuiuiuonhTZ976anhTZ976HEg5EYmEHhXEg5EYmEHhr:1tn76atn76HrughXrughr

Score

10^/10

neshta defense_evasion discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	JAFFAC~1.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JAFFAC~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2832	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
5080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
3856	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
4460	svchost.com
1424	JAFFAC~1.EXE
3168	svchost.com
4208	JAFFAC~1.EXE
5092	svchost.com
4868	JAFFAC~1.EXE
3988	svchost.com
2068	JAFFAC~1.EXE
804	svchost.com
1204	JAFFAC~1.EXE
2360	svchost.com
3684	JAFFAC~1.EXE
3976	svchost.com
5100	JAFFAC~1.EXE
4732	svchost.com
3380	JAFFAC~1.EXE
3784	svchost.com
3404	JAFFAC~1.EXE
4844	svchost.com
3972	JAFFAC~1.EXE
2644	svchost.com
2716	JAFFAC~1.EXE
3464	svchost.com
2448	JAFFAC~1.EXE
1616	svchost.com
4320	JAFFAC~1.EXE
2528	svchost.com
3572	JAFFAC~1.EXE
748	svchost.com
4432	JAFFAC~1.EXE
624	svchost.com
3608	JAFFAC~1.EXE
2192	svchost.com
3692	JAFFAC~1.EXE
3996	svchost.com
5040	JAFFAC~1.EXE
4728	svchost.com
1748	JAFFAC~1.EXE
964	svchost.com
3092	JAFFAC~1.EXE
1860	svchost.com
3944	JAFFAC~1.EXE
2352	svchost.com
1148	JAFFAC~1.EXE
3212	svchost.com
3200	JAFFAC~1.EXE
4580	svchost.com
4372	JAFFAC~1.EXE
3948	svchost.com
788	JAFFAC~1.EXE
116	svchost.com
3968	JAFFAC~1.EXE
1792	svchost.com
4188	JAFFAC~1.EXE
4384	svchost.com
916	JAFFAC~1.EXE
4168	svchost.com
4216	JAFFAC~1.EXE
3940	svchost.com
1700	JAFFAC~1.EXE
4780	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\Windows\\Cursors\\services.exe"	JAFFAC~1.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	JAFFAC~1.exe
File opened (read-only)	\??\Y:	JAFFAC~1.exe
File opened (read-only)	\??\B:	JAFFAC~1.exe
File opened (read-only)	\??\E:	JAFFAC~1.exe
File opened (read-only)	\??\J:	JAFFAC~1.exe
File opened (read-only)	\??\L:	JAFFAC~1.exe
File opened (read-only)	\??\M:	JAFFAC~1.exe
File opened (read-only)	\??\O:	JAFFAC~1.exe
File opened (read-only)	\??\T:	JAFFAC~1.exe
File opened (read-only)	\??\X:	JAFFAC~1.exe
File opened (read-only)	\??\A:	JAFFAC~1.exe
File opened (read-only)	\??\G:	JAFFAC~1.exe
File opened (read-only)	\??\H:	JAFFAC~1.exe
File opened (read-only)	\??\I:	JAFFAC~1.exe
File opened (read-only)	\??\P:	JAFFAC~1.exe
File opened (read-only)	\??\R:	JAFFAC~1.exe
File opened (read-only)	\??\V:	JAFFAC~1.exe
File opened (read-only)	\??\K:	JAFFAC~1.exe
File opened (read-only)	\??\Q:	JAFFAC~1.exe
File opened (read-only)	\??\S:	JAFFAC~1.exe
File opened (read-only)	\??\U:	JAFFAC~1.exe
File opened (read-only)	\??\W:	JAFFAC~1.exe
File opened (read-only)	\??\Z:	JAFFAC~1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2988-1429-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/files/0x000d000000023afd-1431.dat	upx
behavioral2/memory/2988-1446-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File created	C:\Program Files\Program Files.exe	JAFFAC~1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE
File opened for modification	C:\Windows\directx.sys	JAFFAC~1.exe
File opened for modification	C:\Windows\svchost.com	JAFFAC~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.rnt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAFFAC~1.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JAFFAC~1.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1892	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2308	poserv.exe
Token: SeSecurityPrivilege	2308	poserv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	explorer.exe
1892	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2832	1172	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	82
PID 1172 wrote to memory of 2832	1172	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	82
PID 1172 wrote to memory of 2832	1172	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	82
PID 2832 wrote to memory of 5080	2832	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	83
PID 2832 wrote to memory of 5080	2832	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	83
PID 2832 wrote to memory of 5080	2832	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	83
PID 5080 wrote to memory of 3856	5080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	84
PID 5080 wrote to memory of 3856	5080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	84
PID 5080 wrote to memory of 3856	5080	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt	84
PID 3856 wrote to memory of 4460	3856	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	85
PID 3856 wrote to memory of 4460	3856	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	85
PID 3856 wrote to memory of 4460	3856	JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe	85
PID 4460 wrote to memory of 1424	4460	svchost.com	86
PID 4460 wrote to memory of 1424	4460	svchost.com	86
PID 4460 wrote to memory of 1424	4460	svchost.com	86
PID 1424 wrote to memory of 3168	1424	JAFFAC~1.EXE	87
PID 1424 wrote to memory of 3168	1424	JAFFAC~1.EXE	87
PID 1424 wrote to memory of 3168	1424	JAFFAC~1.EXE	87
PID 3168 wrote to memory of 4208	3168	svchost.com	88
PID 3168 wrote to memory of 4208	3168	svchost.com	88
PID 3168 wrote to memory of 4208	3168	svchost.com	88
PID 4208 wrote to memory of 5092	4208	JAFFAC~1.EXE	89
PID 4208 wrote to memory of 5092	4208	JAFFAC~1.EXE	89
PID 4208 wrote to memory of 5092	4208	JAFFAC~1.EXE	89
PID 5092 wrote to memory of 4868	5092	svchost.com	90
PID 5092 wrote to memory of 4868	5092	svchost.com	90
PID 5092 wrote to memory of 4868	5092	svchost.com	90
PID 4868 wrote to memory of 3988	4868	JAFFAC~1.EXE	91
PID 4868 wrote to memory of 3988	4868	JAFFAC~1.EXE	91
PID 4868 wrote to memory of 3988	4868	JAFFAC~1.EXE	91
PID 3988 wrote to memory of 2068	3988	svchost.com	92
PID 3988 wrote to memory of 2068	3988	svchost.com	92
PID 3988 wrote to memory of 2068	3988	svchost.com	92
PID 2068 wrote to memory of 804	2068	JAFFAC~1.EXE	93
PID 2068 wrote to memory of 804	2068	JAFFAC~1.EXE	93
PID 2068 wrote to memory of 804	2068	JAFFAC~1.EXE	93
PID 804 wrote to memory of 1204	804	svchost.com	94
PID 804 wrote to memory of 1204	804	svchost.com	94
PID 804 wrote to memory of 1204	804	svchost.com	94
PID 1204 wrote to memory of 2360	1204	JAFFAC~1.EXE	95
PID 1204 wrote to memory of 2360	1204	JAFFAC~1.EXE	95
PID 1204 wrote to memory of 2360	1204	JAFFAC~1.EXE	95
PID 2360 wrote to memory of 3684	2360	svchost.com	96
PID 2360 wrote to memory of 3684	2360	svchost.com	96
PID 2360 wrote to memory of 3684	2360	svchost.com	96
PID 3684 wrote to memory of 3976	3684	JAFFAC~1.EXE	97
PID 3684 wrote to memory of 3976	3684	JAFFAC~1.EXE	97
PID 3684 wrote to memory of 3976	3684	JAFFAC~1.EXE	97
PID 3976 wrote to memory of 5100	3976	svchost.com	98
PID 3976 wrote to memory of 5100	3976	svchost.com	98
PID 3976 wrote to memory of 5100	3976	svchost.com	98
PID 5100 wrote to memory of 4732	5100	JAFFAC~1.EXE	99
PID 5100 wrote to memory of 4732	5100	JAFFAC~1.EXE	99
PID 5100 wrote to memory of 4732	5100	JAFFAC~1.EXE	99
PID 4732 wrote to memory of 3380	4732	svchost.com	100
PID 4732 wrote to memory of 3380	4732	svchost.com	100
PID 4732 wrote to memory of 3380	4732	svchost.com	100
PID 3380 wrote to memory of 3784	3380	JAFFAC~1.EXE	177
PID 3380 wrote to memory of 3784	3380	JAFFAC~1.EXE	177
PID 3380 wrote to memory of 3784	3380	JAFFAC~1.EXE	177
PID 3784 wrote to memory of 3404	3784	svchost.com	102
PID 3784 wrote to memory of 3404	3784	svchost.com	102
PID 3784 wrote to memory of 3404	3784	svchost.com	102
PID 3404 wrote to memory of 4844	3404	JAFFAC~1.EXE	103

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt
    "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        66⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        68⤵
        Checks computer location settings
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        69⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        70⤵
        Drops file in Windows directory
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        71⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        73⤵
        Drops file in Windows directory
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        74⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        76⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        77⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        78⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        79⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        80⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        81⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        82⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        83⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        84⤵
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        85⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        86⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        87⤵
        Drops file in Windows directory
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        88⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        89⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        90⤵
        Checks computer location settings
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        91⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        93⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        94⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        95⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        96⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        99⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        100⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        101⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        102⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        103⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        104⤵
        Checks computer location settings
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        105⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        110⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        111⤵
        Drops file in Windows directory
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        112⤵
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        113⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        114⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        115⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        117⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        118⤵
        Modifies registry class
        
        PID:4088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        119⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        120⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        121⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        122⤵
        Checks computer location settings
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        123⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        124⤵
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        125⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        126⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        127⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        128⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        129⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        130⤵
        Checks computer location settings
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        131⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        132⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        133⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        134⤵
        Checks computer location settings
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        135⤵
        Drops file in Windows directory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        137⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        138⤵
        
        PID:4264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        139⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        140⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        141⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        143⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        144⤵
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        145⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        146⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        148⤵
        Modifies registry class
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        150⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        151⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        152⤵
        Modifies registry class
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        153⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        154⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        155⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        156⤵
        Drops file in Windows directory
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        157⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        158⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        159⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        160⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        161⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        162⤵
        Drops file in Windows directory
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        163⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        165⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        166⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        167⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        168⤵
        Checks computer location settings
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        170⤵
        Checks computer location settings
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        171⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        172⤵
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        173⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        174⤵
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        175⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        176⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        178⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        179⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        180⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        181⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        183⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        184⤵
        Checks computer location settings
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        185⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        186⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        187⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        188⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        189⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        190⤵
        Checks computer location settings
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        191⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        192⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        193⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        194⤵
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        195⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        196⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        197⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        198⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        199⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        200⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        201⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        202⤵
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        204⤵
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        205⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        206⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        207⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        208⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        209⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        210⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        211⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        212⤵
        Checks computer location settings
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        213⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        214⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        216⤵
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        217⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        218⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        220⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        222⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        223⤵
        Drops file in Windows directory
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        224⤵
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        225⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        226⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        227⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        228⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        229⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        230⤵
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        231⤵
        Drops file in Windows directory
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        232⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        233⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        234⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        235⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        236⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        238⤵
        
        PID:3160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        239⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        240⤵
        Drops file in Windows directory
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        241⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        242⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        243⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        244⤵
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        245⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        246⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        248⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        249⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        250⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        251⤵
        Drops file in Windows directory
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        252⤵
        Checks computer location settings
        Modifies registry class
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        254⤵
        Checks computer location settings
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        255⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        256⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        257⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        258⤵
        Checks computer location settings
        Modifies registry class
        
        PID:428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        260⤵
        Modifies registry class
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        261⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        262⤵
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        264⤵
        Modifies registry class
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        265⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        266⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        267⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        268⤵
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        269⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        270⤵
        Checks computer location settings
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        271⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        272⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        273⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        274⤵
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        276⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        277⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        279⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        280⤵
        Checks computer location settings
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        281⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        282⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        284⤵
        Drops file in Windows directory
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        286⤵
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        287⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        288⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        289⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        290⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        292⤵
        
        PID:728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        294⤵
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        295⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        296⤵
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        297⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        298⤵
        Checks computer location settings
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        300⤵
        
        PID:4360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        302⤵
        Checks computer location settings
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        303⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        304⤵
        Modifies registry class
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        305⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        306⤵
        
        PID:4992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        307⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        308⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        310⤵
        Checks computer location settings
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        311⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        312⤵
        Modifies registry class
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        313⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        314⤵
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        315⤵
        Drops file in Windows directory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        316⤵
        Checks computer location settings
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        317⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        318⤵
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        319⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        324⤵
        Checks computer location settings
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        325⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        326⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        327⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        328⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        329⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        330⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        332⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        333⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        334⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        335⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        336⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        338⤵
        
        PID:3408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        340⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        341⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        343⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        344⤵
        Checks computer location settings
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        345⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        346⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        348⤵
        Checks computer location settings
        
        PID:5024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        349⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        350⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        352⤵
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        353⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        354⤵
        Checks computer location settings
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        355⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        356⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        357⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        358⤵
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        359⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        360⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        361⤵
        Drops file in Windows directory
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        362⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        363⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        364⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        365⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        366⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        367⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        368⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        369⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        370⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        371⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        372⤵
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        374⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE"
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.EXE
        376⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.rnt
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.rnt"
        377⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        378⤵
        Modifies registry class
        
        PID:712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        379⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        380⤵
        Drops file in Windows directory
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        381⤵
        Drops file in Windows directory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        382⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        383⤵
        Drops file in Windows directory
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        384⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe"
        385⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\JAFFAC~1.exe
        386⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        Enumerates connected drives
        Drops file in Program Files directory
        
        PID:2988
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\3582-490\..
        387⤵
        
        PID:4356

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2b178b3328bf577d370964cc9b7be07c 5sVa2uePMEe/UEHHXgncUQ.0.1.0.0.0
1⤵
PID:1200
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3924

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4312

C:\Windows\poserv.exe
"C:\Windows\poserv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
52927c2ff6260abef9d440b92d7894ef

SHA1
d766ec8d31a1b3ec68709adffb333b9b0aecc990

SHA256
0f5d7ae5106f842b482a1708b7ddf62803075ec7c1bebae44e21ba0fdd15db3d

SHA512
5fd72ee89f89c8008c6afa664247c97447d23086b686a9b8b1b28bba60399b82d9997cd7088e7356a992b47faff3f117c319e595f3b73fec55f4452e1d3071d4

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
78f77aff4993684fdbcad13c74d5f364

SHA1
0b02ed9112021b3c65778fdce0642e81dfb5b628

SHA256
9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb

SHA512
568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Filesize
245KB

MD5
b3e01a4c77b5471657416d5fb1ce7c9e

SHA1
e82a7f29de5f83b05241e8bfeeb31a48ebff0875

SHA256
816cc4f268d4d2ae61874525362e1138c3efaf49a506dd943712c3491bdff886

SHA512
13dec453d8b89162e72836db38a1be8de57cb887dcb2150059be2105a1f9b307458f229f04daea37c1ab0aaac84c0b758f674182cdcd37b1be6f070a35867deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.exe

Filesize
209KB

MD5
58b633dc955586be0c8e9413914a49b9

SHA1
f2d0c3e6a39ad44bec47dc7c66d28b80a9ea493b

SHA256
e0a935464e28af46f42038124735cf6ebb34f7ea0d9c6d2ee76237b30d2fec94

SHA512
3d1ddac7a3d2fc0f43148b173ab98fa7a8d842b518598f5cede0a01cf7b8ccc1ac29c908255737a5e8be3db65e636206c52ec01ad2e92d6e169f71891067aeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_0b1023e3a9281eb691bb3b1019fbaa12.rnt

Filesize
36KB

MD5
8d3681e6e36b3e6ef45d0c18c35b8d96

SHA1
00821442e7005583e800c5b312bad093079c7360

SHA256
7cfc15487f39d3c25854255e917f8562be646d3a2ae6db4a62b09af37607e3ff

SHA512
5bb4cde099ca67aa26499e1a1f060ac4fead61587e241a4778c3d4b42aeb61215d7692dd511ad4069c2a4ce7f601012c62a244b2e4cf2a23194e66ac6ee288ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Íîâàÿ ïàïêà.exe

Filesize
92KB

MD5
7702c9a63b91fb47fc5876d1333593a2

SHA1
e41817b7887c5872ddcba29087301d72f35b3007

SHA256
0fc6f89ddd950a26e946273cf27ab2dfd087d0fd393b5f3d55327b7e116a2c6d

SHA512
086ce917b4168012dbf108cdbacfac65b1f953f0dcc038f2ca4edc550ad29f9f91af0bd68cccd7f251048f2d20b616e5a8363a0d082306fd1cf343272aee083c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
52842c74db64e0f3af620fe71622ca34

SHA1
6379c7431bd811b980d9efaf3a64162b864a9425

SHA256
63b271bce2518747b341623b605f18293b155fc0b3a31fb78f128d170465b362

SHA512
9c1842af14f19a2fbece6d2e1061ffefa3b23ceb092960a0122e6753659e4baa2cee891c41a3a4e06235ac3cabaf7543ce01712494a7347ae96c3b32abda44e1

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
d00231277f818c7c8935a9a5d6a5b8e3

SHA1
d883f120b0a14328e11b9028cffe4cea3dd70dc0

SHA256
0d0094ea9f36f6093e06011b4bff3a72b6f71c0381d3d8308258dcd8a7f53672

SHA512
41eb2facce332aad49b3c8dd635d8428ccaebb489e7ca81cb8348eeb736b77ed3fdca2923e7e56a9b35d89a3fd4f0945be58376093afb9890e77572f2df7418a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/116-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/788-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/804-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/964-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1148-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1204-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1424-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1616-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-424-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2068-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2448-235-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-1429-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2988-1446-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3092-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3112-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3168-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3200-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3212-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3380-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3404-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3464-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3572-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3608-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3684-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3692-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3944-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3948-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3968-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3976-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4188-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4208-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4216-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4320-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4372-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4460-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4732-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4780-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4868-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads