af682d71b04ff78da928b17cb7f4ab841c6bfb4a1aa50920b7e14deefee3702f

Analysis

max time kernel
121s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe
Size

128KB
MD5

241aba51527cb35faa2e52e798305eab
SHA1

1aff8d07b3baba98bb72b4643d8c07289e53b9fe
SHA256

af682d71b04ff78da928b17cb7f4ab841c6bfb4a1aa50920b7e14deefee3702f
SHA512

2cdfd7c5ea23632d205aed0b819f25703ff1c8e9d5e4b14b4eb8b7004a7c70fe0e7865565377a99a8529d7ceacf5580af7adf73ffb8ad7858db3612b3fb27870
SSDEEP

3072:3jUVmf4sBefCTnU6+/LLN+IWtRqBzUC9YhaMyRhw:wVmAsBeffB+/tRqBzOAw

Score

8^/10

persistence upx

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
32	3120	Process not Found
36	3120	Process not Found
38	3120	Process not Found
39	3120	Process not Found
41	3120	Process not Found
56	528	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	doskeyer.exe

Executes dropped EXE 64 IoCs

pid	Process
3016	doskeyer.exe
4376	doskeyer.exe
4940	doskeyer.exe
4792	doskeyer.exe
1460	doskeyer.exe
2360	doskeyer.exe
3276	doskeyer.exe
4300	doskeyer.exe
4432	doskeyer.exe
2132	doskeyer.exe
3524	doskeyer.exe
4568	doskeyer.exe
1452	doskeyer.exe
2072	doskeyer.exe
4468	doskeyer.exe
1616	doskeyer.exe
636	doskeyer.exe
4436	doskeyer.exe
4980	doskeyer.exe
3120	doskeyer.exe
3332	doskeyer.exe
4820	doskeyer.exe
3132	doskeyer.exe
3136	doskeyer.exe
4256	doskeyer.exe
4836	doskeyer.exe
1180	doskeyer.exe
1900	doskeyer.exe
2388	doskeyer.exe
3300	doskeyer.exe
1776	doskeyer.exe
5116	doskeyer.exe
3124	doskeyer.exe
3252	doskeyer.exe
1620	doskeyer.exe
1960	doskeyer.exe
640	doskeyer.exe
1636	doskeyer.exe
4020	doskeyer.exe
3472	doskeyer.exe
2256	doskeyer.exe
372	doskeyer.exe
3468	doskeyer.exe
3872	doskeyer.exe
4344	doskeyer.exe
1936	doskeyer.exe
1632	doskeyer.exe
5116	doskeyer.exe
3972	doskeyer.exe
3996	doskeyer.exe
4876	doskeyer.exe
4924	doskeyer.exe
4132	doskeyer.exe
3112	doskeyer.exe
832	doskeyer.exe
3264	doskeyer.exe
4900	doskeyer.exe
4544	doskeyer.exe
4308	doskeyer.exe
2688	doskeyer.exe
708	doskeyer.exe
2712	doskeyer.exe
2472	doskeyer.exe
4324	doskeyer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2776-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2776-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/files/0x0008000000023565-7.dat	upx
behavioral2/memory/3016-37-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2776-39-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4376-44-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3016-43-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4376-48-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4940-52-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1460-57-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4792-56-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1460-61-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2360-65-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4300-70-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3276-69-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4300-74-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4432-75-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4432-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2132-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2132-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4568-89-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3524-88-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4568-93-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1452-97-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2072-98-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2072-102-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4468-103-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4468-107-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1616-111-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/636-112-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/636-115-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4436-121-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4980-119-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4980-125-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3120-129-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3332-130-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3332-134-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4820-138-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3132-142-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3136-146-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4256-147-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4836-153-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4256-152-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/4836-157-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1180-158-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1180-162-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1900-163-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1900-168-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2388-167-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/2388-172-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3300-176-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1776-177-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5116-181-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1776-183-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3124-188-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/5116-187-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3124-192-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/3252-195-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1960-199-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1620-197-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/640-203-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1960-202-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/640-206-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral2/memory/1636-207-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Keyer = "doskeyer.exe"	doskeyer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File created	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe
File opened for modification	C:\Windows\SysWOW64\doskeyer.exe	doskeyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	doskeyer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3016	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4376	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4940	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4792	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1460	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2360	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3276	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4300	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4432	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2132	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3524	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4568	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1452	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2072	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4468	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1616	doskeyer.exe
Token: SeIncBasePriorityPrivilege	636	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4436	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4980	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3120	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3332	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4820	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3132	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3136	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4256	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4836	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1180	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1900	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2388	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3300	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1776	doskeyer.exe
Token: SeIncBasePriorityPrivilege	5116	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3124	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3252	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1620	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1960	doskeyer.exe
Token: SeIncBasePriorityPrivilege	640	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1636	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4020	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3472	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2256	doskeyer.exe
Token: SeIncBasePriorityPrivilege	372	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3468	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3872	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4344	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1936	doskeyer.exe
Token: SeIncBasePriorityPrivilege	1632	doskeyer.exe
Token: SeIncBasePriorityPrivilege	5116	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3972	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3996	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4876	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4924	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4132	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3112	doskeyer.exe
Token: SeIncBasePriorityPrivilege	832	doskeyer.exe
Token: SeIncBasePriorityPrivilege	3264	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4900	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4544	doskeyer.exe
Token: SeIncBasePriorityPrivilege	4308	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2688	doskeyer.exe
Token: SeIncBasePriorityPrivilege	708	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2712	doskeyer.exe
Token: SeIncBasePriorityPrivilege	2472	doskeyer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3016	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	83
PID 2776 wrote to memory of 3016	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	83
PID 2776 wrote to memory of 3016	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	83
PID 2776 wrote to memory of 2932	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	84
PID 2776 wrote to memory of 2932	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	84
PID 2776 wrote to memory of 2932	2776	241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe	84
PID 3016 wrote to memory of 4376	3016	doskeyer.exe	87
PID 3016 wrote to memory of 4376	3016	doskeyer.exe	87
PID 3016 wrote to memory of 4376	3016	doskeyer.exe	87
PID 3016 wrote to memory of 5064	3016	doskeyer.exe	88
PID 3016 wrote to memory of 5064	3016	doskeyer.exe	88
PID 3016 wrote to memory of 5064	3016	doskeyer.exe	88
PID 4376 wrote to memory of 4940	4376	doskeyer.exe	91
PID 4376 wrote to memory of 4940	4376	doskeyer.exe	91
PID 4376 wrote to memory of 4940	4376	doskeyer.exe	91
PID 4376 wrote to memory of 672	4376	doskeyer.exe	92
PID 4376 wrote to memory of 672	4376	doskeyer.exe	92
PID 4376 wrote to memory of 672	4376	doskeyer.exe	92
PID 4940 wrote to memory of 4792	4940	doskeyer.exe	94
PID 4940 wrote to memory of 4792	4940	doskeyer.exe	94
PID 4940 wrote to memory of 4792	4940	doskeyer.exe	94
PID 4940 wrote to memory of 840	4940	doskeyer.exe	95
PID 4940 wrote to memory of 840	4940	doskeyer.exe	95
PID 4940 wrote to memory of 840	4940	doskeyer.exe	95
PID 4792 wrote to memory of 1460	4792	doskeyer.exe	97
PID 4792 wrote to memory of 1460	4792	doskeyer.exe	97
PID 4792 wrote to memory of 1460	4792	doskeyer.exe	97
PID 4792 wrote to memory of 3708	4792	doskeyer.exe	98
PID 4792 wrote to memory of 3708	4792	doskeyer.exe	98
PID 4792 wrote to memory of 3708	4792	doskeyer.exe	98
PID 1460 wrote to memory of 2360	1460	doskeyer.exe	100
PID 1460 wrote to memory of 2360	1460	doskeyer.exe	100
PID 1460 wrote to memory of 2360	1460	doskeyer.exe	100
PID 1460 wrote to memory of 3264	1460	doskeyer.exe	129
PID 1460 wrote to memory of 3264	1460	doskeyer.exe	129
PID 1460 wrote to memory of 3264	1460	doskeyer.exe	129
PID 2360 wrote to memory of 3276	2360	doskeyer.exe	103
PID 2360 wrote to memory of 3276	2360	doskeyer.exe	103
PID 2360 wrote to memory of 3276	2360	doskeyer.exe	103
PID 2360 wrote to memory of 4936	2360	doskeyer.exe	104
PID 2360 wrote to memory of 4936	2360	doskeyer.exe	104
PID 2360 wrote to memory of 4936	2360	doskeyer.exe	104
PID 3276 wrote to memory of 4300	3276	doskeyer.exe	106
PID 3276 wrote to memory of 4300	3276	doskeyer.exe	106
PID 3276 wrote to memory of 4300	3276	doskeyer.exe	106
PID 3276 wrote to memory of 4372	3276	doskeyer.exe	107
PID 3276 wrote to memory of 4372	3276	doskeyer.exe	107
PID 3276 wrote to memory of 4372	3276	doskeyer.exe	107
PID 4300 wrote to memory of 4432	4300	doskeyer.exe	109
PID 4300 wrote to memory of 4432	4300	doskeyer.exe	109
PID 4300 wrote to memory of 4432	4300	doskeyer.exe	109
PID 4300 wrote to memory of 4400	4300	doskeyer.exe	110
PID 4300 wrote to memory of 4400	4300	doskeyer.exe	110
PID 4300 wrote to memory of 4400	4300	doskeyer.exe	110
PID 4432 wrote to memory of 2132	4432	doskeyer.exe	112
PID 4432 wrote to memory of 2132	4432	doskeyer.exe	112
PID 4432 wrote to memory of 2132	4432	doskeyer.exe	112
PID 4432 wrote to memory of 4436	4432	doskeyer.exe	140
PID 4432 wrote to memory of 4436	4432	doskeyer.exe	140
PID 4432 wrote to memory of 4436	4432	doskeyer.exe	140
PID 2132 wrote to memory of 3524	2132	doskeyer.exe	117
PID 2132 wrote to memory of 3524	2132	doskeyer.exe	117
PID 2132 wrote to memory of 3524	2132	doskeyer.exe	117
PID 2132 wrote to memory of 4752	2132	doskeyer.exe	144

C:\Users\Admin\AppData\Local\Temp\241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\241aba51527cb35faa2e52e798305eab_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\doskeyer.exe
  "C:\Windows\system32\doskeyer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\doskeyer.exe
    "C:\Windows\system32\doskeyer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\doskeyer.exe
      "C:\Windows\system32\doskeyer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        46⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4324
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        66⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        67⤵
        
        PID:208
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        68⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        69⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        70⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2548
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        73⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        74⤵
        Checks computer location settings
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        75⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        77⤵
        Checks computer location settings
        
        PID:648
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        78⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        79⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        80⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        82⤵
        Checks computer location settings
        
        PID:1788
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        84⤵
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        85⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        86⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        87⤵
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        88⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:952
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        89⤵
        Checks computer location settings
        
        PID:4304
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        91⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        92⤵
        Adds Run key to start application
        
        PID:208
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        95⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        97⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        98⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        100⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2268
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        101⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        102⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        104⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        105⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        106⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        107⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        108⤵
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        109⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        110⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        111⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        112⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        113⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        114⤵
        Adds Run key to start application
        
        PID:4280
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        115⤵
        Checks computer location settings
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        116⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        117⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        118⤵
        Checks computer location settings
        
        PID:2908
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        119⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        121⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        122⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        123⤵
        Adds Run key to start application
        
        PID:4148
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        124⤵
        
        PID:960
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        125⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        126⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        128⤵
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        129⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        130⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        131⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        133⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        134⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        135⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        136⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        137⤵
        Checks computer location settings
        
        PID:2128
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        138⤵
        Adds Run key to start application
        
        PID:2028
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        139⤵
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        140⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        141⤵
        Adds Run key to start application
        
        PID:3664
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        142⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        144⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        145⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        146⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        147⤵
        Checks computer location settings
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        148⤵
        Adds Run key to start application
        
        PID:3128
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        149⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        150⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        151⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        152⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        153⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        154⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        155⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        156⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        157⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        160⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        161⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        162⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4380
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        163⤵
        Adds Run key to start application
        
        PID:4236
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        165⤵
        Adds Run key to start application
        
        PID:4632
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        166⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        167⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        168⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:348
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        169⤵
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        170⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        171⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        172⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        173⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        174⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        175⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        176⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3700
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        177⤵
        Checks computer location settings
        
        PID:3280
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        178⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        179⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        180⤵
        Adds Run key to start application
        
        PID:224
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        181⤵
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        182⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        183⤵
        Adds Run key to start application
        
        PID:2388
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        184⤵
        Adds Run key to start application
        
        PID:3568
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        185⤵
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        186⤵
        Adds Run key to start application
        
        PID:3884
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        187⤵
        Checks computer location settings
        
        PID:3468
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        188⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        189⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        190⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        191⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4812
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        192⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        193⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        195⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        196⤵
        Checks computer location settings
        
        PID:4028
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        197⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        198⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        199⤵
        Checks computer location settings
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        200⤵
        Adds Run key to start application
        
        PID:1604
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        201⤵
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        202⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        203⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        204⤵
        
        PID:316
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        205⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        206⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        207⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        208⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        209⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        210⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        211⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        212⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        213⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        214⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        215⤵
        
        PID:436
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        216⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        217⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        218⤵
        
        PID:832
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        219⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        220⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        221⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        222⤵
        
        PID:244
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        223⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        224⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        225⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        226⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        227⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        228⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        229⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        230⤵
        
        PID:736
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        231⤵
        
        PID:412
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        232⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        233⤵
        
        PID:640
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        234⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        235⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        236⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        237⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        238⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        239⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        240⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        241⤵
        
        PID:672
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        242⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        243⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        244⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        245⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        246⤵
        
        PID:212
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        247⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        248⤵
        
        PID:452
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        249⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\doskeyer.exe
        
        "C:\Windows\system32\doskeyer.exe"
        250⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        250⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        249⤵
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        250⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        248⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        247⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        246⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        245⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        244⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        243⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        242⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        241⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        240⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        239⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        238⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        237⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        236⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        235⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        234⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        233⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        232⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        231⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        230⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        229⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        228⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        227⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        226⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        225⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        224⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        223⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        222⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        221⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        222⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        220⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        219⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        218⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        217⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        216⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        215⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        214⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        213⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        212⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        211⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        210⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        209⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        208⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        207⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        206⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        205⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        206⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        204⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        203⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        202⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        201⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        200⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        199⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        198⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        197⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        196⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        195⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        194⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        193⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        192⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        191⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        190⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        189⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        188⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        187⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        186⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        185⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        184⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        183⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        182⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        181⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        180⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        179⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        178⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        177⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        176⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        175⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        174⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        173⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        172⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        171⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        170⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        169⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        168⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        167⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        166⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        165⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        164⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        163⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        162⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        161⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        160⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        159⤵
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        158⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        157⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        156⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        155⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        154⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        153⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        152⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        151⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        150⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        149⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        148⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        147⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        146⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        145⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        144⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        143⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        142⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        141⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        140⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        139⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        138⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        137⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        136⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        135⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        134⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        133⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        132⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        131⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        130⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        129⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        128⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        127⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        126⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        125⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        124⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        123⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        122⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        121⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        120⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        119⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        118⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        117⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        116⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        115⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        114⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        113⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        112⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        111⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        110⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        109⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        108⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        107⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        106⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        105⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        104⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        103⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        102⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        101⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        100⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        99⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        98⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        97⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        96⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        95⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        94⤵
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        93⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        92⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        91⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        90⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        89⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        88⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        87⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        86⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        85⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        84⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        83⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        82⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        81⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        80⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        79⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        78⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        77⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        76⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        75⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        74⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        73⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        72⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        71⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        70⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        69⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        68⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        67⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        66⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        65⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        64⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        63⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        62⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        61⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        60⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        59⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        58⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        57⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        56⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        55⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        54⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        53⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        52⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        51⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        50⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        49⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        48⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        47⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        46⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        45⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        44⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        43⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        42⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        41⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        40⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        39⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        38⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        37⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        36⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        35⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        34⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        33⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        32⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        31⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        30⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        29⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        28⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        27⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        26⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        25⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        24⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        23⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        22⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        21⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        20⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        19⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        18⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        17⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        16⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        15⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        14⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        12⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        11⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        10⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        9⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
        5⤵
        
        PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
      4⤵
      PID:672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\doskeyer.exe > nul
    3⤵
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\241ABA~1.EXE > nul
  2⤵
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\doskeyer.exe

Filesize
128KB

MD5
241aba51527cb35faa2e52e798305eab

SHA1
1aff8d07b3baba98bb72b4643d8c07289e53b9fe

SHA256
af682d71b04ff78da928b17cb7f4ab841c6bfb4a1aa50920b7e14deefee3702f

SHA512
2cdfd7c5ea23632d205aed0b819f25703ff1c8e9d5e4b14b4eb8b7004a7c70fe0e7865565377a99a8529d7ceacf5580af7adf73ffb8ad7858db3612b3fb27870

Download Submit
memory/372-223-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/372-226-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/636-112-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/636-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/640-206-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/640-203-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/832-273-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/832-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1180-158-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1180-162-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1452-97-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1460-57-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1460-61-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1616-111-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1620-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1632-242-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1632-245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1636-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1636-210-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1776-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1776-177-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1900-168-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1900-163-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1936-238-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1936-241-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1960-199-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1960-202-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2072-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2072-102-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2132-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2132-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2256-219-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2256-222-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-65-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2388-172-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2388-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-2-0x0000000000424000-0x0000000000444000-memory.dmp

Filesize
128KB

Download
memory/2776-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3016-43-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3016-37-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3112-272-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3112-269-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3120-129-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-192-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3132-142-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3136-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3252-195-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3276-69-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3300-176-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-130-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3468-227-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3468-230-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3472-215-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3472-218-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3524-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3872-234-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3872-231-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3972-253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3972-250-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3996-256-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4020-214-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4020-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4132-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4132-265-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4256-147-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4256-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-74-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-70-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4344-237-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4376-44-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4376-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4432-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4432-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4436-121-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4468-103-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4468-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4568-93-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4568-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4792-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4820-138-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4836-153-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4836-157-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4876-257-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4876-260-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4924-261-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4924-264-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4940-52-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4980-119-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-249-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-246-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-181-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads