d9ef7bac0d284adc4d1cd7f6273d10719132c51349a2026ad8a7fe955c52d6e0

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Size

159KB
MD5

adc04b2811c7b78845aa26162dc459b1
SHA1

771edc5ad86866160373831b1b6622785fee147b
SHA256

d9ef7bac0d284adc4d1cd7f6273d10719132c51349a2026ad8a7fe955c52d6e0
SHA512

03ac06f2aa08aaa752235e3720d7c03bad97275dab056e32504b7ca2009f5db6f9a71c9284b2c68a6b864610f87b26fa3e36a2d40e6c0d605aa59d093ad0dcd2
SSDEEP

3072:TKb5zN9u8StaSRnYXOlF8rSUb7dRZjVL1FhHX1/O4:Td4ShurSERXLjhVX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3568	mscomserv.exe
1944	mscomserv.exe
916	mscomserv.exe
1368	mscomserv.exe
3840	mscomserv.exe
4588	mscomserv.exe
1584	mscomserv.exe
4724	mscomserv.exe
636	mscomserv.exe
3464	mscomserv.exe
3376	mscomserv.exe
3480	mscomserv.exe
4260	mscomserv.exe
4288	mscomserv.exe
2732	mscomserv.exe
1796	mscomserv.exe
1676	mscomserv.exe
4356	mscomserv.exe
3008	mscomserv.exe
1788	mscomserv.exe
2460	mscomserv.exe
1892	mscomserv.exe
3596	mscomserv.exe
3744	mscomserv.exe
4904	mscomserv.exe
968	mscomserv.exe
1584	mscomserv.exe
4724	mscomserv.exe
3584	mscomserv.exe
2780	mscomserv.exe
468	mscomserv.exe
3288	mscomserv.exe
2776	mscomserv.exe
3432	mscomserv.exe
2732	mscomserv.exe
648	mscomserv.exe
3836	mscomserv.exe
2228	mscomserv.exe
4752	mscomserv.exe
1064	mscomserv.exe
5080	mscomserv.exe
1708	mscomserv.exe
5072	mscomserv.exe
1892	mscomserv.exe
1920	mscomserv.exe
4708	mscomserv.exe
4944	mscomserv.exe
2376	mscomserv.exe
2820	mscomserv.exe
1696	mscomserv.exe
3888	mscomserv.exe
1756	mscomserv.exe
2740	mscomserv.exe
4444	mscomserv.exe
4988	mscomserv.exe
4872	mscomserv.exe
2348	mscomserv.exe
4640	mscomserv.exe
4960	mscomserv.exe
2724	mscomserv.exe
4432	mscomserv.exe
1108	mscomserv.exe
4104	mscomserv.exe
832	mscomserv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.bin	mscomserv.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mscomserv.exe	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscomserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 4256	3640	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	85
PID 3640 wrote to memory of 4256	3640	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	85
PID 3640 wrote to memory of 4256	3640	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	85
PID 4256 wrote to memory of 2076	4256	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	90
PID 4256 wrote to memory of 2076	4256	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	90
PID 4256 wrote to memory of 2076	4256	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	90
PID 2076 wrote to memory of 4280	2076	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	93
PID 2076 wrote to memory of 4280	2076	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	93
PID 2076 wrote to memory of 4280	2076	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	93
PID 4280 wrote to memory of 3504	4280	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	97
PID 4280 wrote to memory of 3504	4280	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	97
PID 4280 wrote to memory of 3504	4280	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	97
PID 3504 wrote to memory of 3724	3504	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	101
PID 3504 wrote to memory of 3724	3504	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	101
PID 3504 wrote to memory of 3724	3504	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	101
PID 3724 wrote to memory of 3444	3724	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	103
PID 3724 wrote to memory of 3444	3724	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	103
PID 3724 wrote to memory of 3444	3724	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	103
PID 3444 wrote to memory of 5064	3444	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	106
PID 3444 wrote to memory of 5064	3444	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	106
PID 3444 wrote to memory of 5064	3444	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	106
PID 5064 wrote to memory of 1660	5064	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	108
PID 5064 wrote to memory of 1660	5064	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	108
PID 5064 wrote to memory of 1660	5064	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	108
PID 1660 wrote to memory of 1112	1660	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	110
PID 1660 wrote to memory of 1112	1660	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	110
PID 1660 wrote to memory of 1112	1660	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	110
PID 1112 wrote to memory of 1180	1112	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	114
PID 1112 wrote to memory of 1180	1112	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	114
PID 1112 wrote to memory of 1180	1112	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	114
PID 1180 wrote to memory of 1996	1180	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	116
PID 1180 wrote to memory of 1996	1180	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	116
PID 1180 wrote to memory of 1996	1180	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	116
PID 1996 wrote to memory of 392	1996	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	118
PID 1996 wrote to memory of 392	1996	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	118
PID 1996 wrote to memory of 392	1996	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	118
PID 392 wrote to memory of 2528	392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	120
PID 392 wrote to memory of 2528	392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	120
PID 392 wrote to memory of 2528	392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	120
PID 2528 wrote to memory of 4776	2528	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	122
PID 2528 wrote to memory of 4776	2528	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	122
PID 2528 wrote to memory of 4776	2528	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	122
PID 4776 wrote to memory of 976	4776	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	124
PID 4776 wrote to memory of 976	4776	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	124
PID 4776 wrote to memory of 976	4776	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	124
PID 976 wrote to memory of 3836	976	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	126
PID 976 wrote to memory of 3836	976	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	126
PID 976 wrote to memory of 3836	976	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	126
PID 3836 wrote to memory of 3700	3836	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	128
PID 3836 wrote to memory of 3700	3836	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	128
PID 3836 wrote to memory of 3700	3836	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	128
PID 3700 wrote to memory of 1544	3700	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	130
PID 3700 wrote to memory of 1544	3700	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	130
PID 3700 wrote to memory of 1544	3700	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	130
PID 1544 wrote to memory of 4392	1544	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	132
PID 1544 wrote to memory of 4392	1544	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	132
PID 1544 wrote to memory of 4392	1544	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	132
PID 4392 wrote to memory of 4884	4392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	134
PID 4392 wrote to memory of 4884	4392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	134
PID 4392 wrote to memory of 4884	4392	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	134
PID 4884 wrote to memory of 3120	4884	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	136
PID 4884 wrote to memory of 3120	4884	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	136
PID 4884 wrote to memory of 3120	4884	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	136
PID 3120 wrote to memory of 1456	3120	adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe	138

C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
  a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
    a
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
      a
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        15⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        21⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        23⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        25⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        26⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        27⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        29⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        30⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        32⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        33⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        35⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        36⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        37⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        38⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        39⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        40⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        41⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        42⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        43⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        44⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        45⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        46⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        47⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        48⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        50⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        51⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        52⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        53⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        54⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        55⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        60⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        62⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        63⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        65⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        68⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        69⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        71⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        72⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        73⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        74⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        75⤵
        Drops file in System32 directory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        76⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        77⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        79⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        80⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        81⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        82⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        84⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        85⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        86⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        87⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        88⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        89⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        90⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        91⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        92⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        93⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        94⤵
        Drops file in System32 directory
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        95⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        97⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        99⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        100⤵
        Drops file in System32 directory
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        101⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        103⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        104⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        105⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        106⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        109⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        110⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        111⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        112⤵
        Drops file in System32 directory
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        114⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        115⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        116⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        117⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        118⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        119⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        120⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        121⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        122⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        123⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        126⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        128⤵
        Drops file in System32 directory
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\adc04b2811c7b78845aa26162dc459b1_JaffaCakes118.exe
        
        a
        130⤵
        
        PID:2916

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3464

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4260

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:968

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3584

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:648

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4752

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4944

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4872

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4640

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4912

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1944

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1808

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:916

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3384

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4600

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
PID:1332

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4944

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2376

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2820

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1696

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3888

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2508

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1068

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3640

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2740

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4444

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1112

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:868

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:468

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4288

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4952

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3528

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3596

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3976

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3952

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1948

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3132

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3300

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:620

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4748

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:116

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:5100

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2964

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4400

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4624

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2592

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2568

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3432

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4412

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3220

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1644

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3380

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:404

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4048

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2336

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
PID:5080

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
PID:892

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1084

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4280

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3776

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3724

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4996

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- Drops file in System32 directory
PID:3888

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:412

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:616

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1612

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:512

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:1260

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2396

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4636

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:2880

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2332

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:4484

C:\Windows\SysWOW64\mscomserv.exe
C:\Windows\SysWOW64\mscomserv.exe
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mscomserv.bin

Filesize
147B

MD5
a44c8a3d5e93b63af87741df53cbbdc9

SHA1
4f6cde6d88c9aa380ad74cc52ea1a275461dd69a

SHA256
55cad2a5e171227a88d3e8ba1c2cb91be96dbf029285783f291a1b2383030554

SHA512
465640c08843efd347c6150dc0a2b8afa13204c13fc670b2283f9b3d076514b2d7c3a7acf468f941f0804153cd2995551ed6b07676424cd3a87141ed09f3976f

Download Submit
C:\Windows\SysWOW64\mscomserv.exe

Filesize
124KB

MD5
bd51bb04613ea04ff6da854b8c718bf9

SHA1
6c0f16c053d543ca4c254b0c988c32588763be35

SHA256
07f2afe8b9ccd85ff59e942a533bdcd5274a388fed53fbb5d198392a5e84b116

SHA512
893171e87d4191780de834e9f5ebef3649bd2e7bacaa76925fc1ef49e75536ee688e674226462a7ad0cbd9a4f7602fd25c195044a027646fb002a32426ee7c35

Download Submit