dcc6864883f770c4ccaf486be9975ce581c5c3593df630c0df78b856f0c4c09d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 15:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
Size

76KB
MD5

afb7fc5edc8dcdc3e746a823a3058fdc
SHA1

b93edf43f7d712a9ebc5435588206a84cb8cac8b
SHA256

dcc6864883f770c4ccaf486be9975ce581c5c3593df630c0df78b856f0c4c09d
SHA512

ed28b215c41a3d9b2b0620439f42ec0e510bdb2e2897fbed4bde4488cf2a65e628ca1c2a007fe193e85d40e11e628862a54c988b099e070a75d3000e9eb6dc1d
SSDEEP

384:3Jo/3taMWKFSIWUIvBIqyrBzSFeClW1HmbGXLjGU/rHWxjDU80zL:ZovcW32BIq8zSFeeOHH7y0rHWtDJ0z

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	mh100.exe
768	mh100.exe
2812	mh100.exe
3008	mh100.exe
2772	mh100.exe
2748	mh100.exe
2732	mh100.exe
2096	mh100.exe
1664	mh100.exe
2116	mh100.exe
2904	mh100.exe
2912	mh100.exe
236	mh100.exe
1472	mh100.exe
2708	mh100.exe
2172	mh100.exe
2368	mh100.exe
2372	mh100.exe
684	mh100.exe
2212	mh100.exe
3020	mh100.exe
1616	mh100.exe
1476	mh100.exe
2484	mh100.exe
2548	mh100.exe
568	mh100.exe
1096	mh100.exe
1768	mh100.exe
1016	mh100.exe
2692	mh100.exe
3060	mh100.exe
2380	mh100.exe
2260	mh100.exe
2816	mh100.exe
2804	mh100.exe
2896	mh100.exe
2856	mh100.exe
2780	mh100.exe
2688	mh100.exe
2184	mh100.exe
1132	mh100.exe
2088	mh100.exe
1664	mh100.exe
2340	mh100.exe
2932	mh100.exe
2700	mh100.exe
2912	mh100.exe
1976	mh100.exe
2120	mh100.exe
2216	mh100.exe
2944	mh100.exe
2936	mh100.exe
748	mh100.exe
2604	mh100.exe
2312	mh100.exe
1936	mh100.exe
316	mh100.exe
2972	mh100.exe
1668	mh100.exe
1636	mh100.exe
2436	mh100.exe
2964	mh100.exe
2556	mh100.exe
1876	mh100.exe

Loads dropped DLL 64 IoCs

pid	Process
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
3068	mh100.exe
3068	mh100.exe
768	mh100.exe
768	mh100.exe
2812	mh100.exe
2812	mh100.exe
3008	mh100.exe
3008	mh100.exe
2772	mh100.exe
2772	mh100.exe
2748	mh100.exe
2748	mh100.exe
2732	mh100.exe
2732	mh100.exe
2096	mh100.exe
2096	mh100.exe
1664	mh100.exe
1664	mh100.exe
2116	mh100.exe
2116	mh100.exe
2904	mh100.exe
2904	mh100.exe
2912	mh100.exe
2912	mh100.exe
236	mh100.exe
236	mh100.exe
1472	mh100.exe
1472	mh100.exe
2708	mh100.exe
2708	mh100.exe
2172	mh100.exe
2172	mh100.exe
2368	mh100.exe
2368	mh100.exe
2372	mh100.exe
2372	mh100.exe
684	mh100.exe
684	mh100.exe
2212	mh100.exe
2212	mh100.exe
3020	mh100.exe
3020	mh100.exe
1616	mh100.exe
1616	mh100.exe
1476	mh100.exe
1476	mh100.exe
2484	mh100.exe
2484	mh100.exe
2548	mh100.exe
2548	mh100.exe
568	mh100.exe
568	mh100.exe
1096	mh100.exe
1096	mh100.exe
1768	mh100.exe
1768	mh100.exe
1016	mh100.exe
1016	mh100.exe
2692	mh100.exe
2692	mh100.exe
3060	mh100.exe
3060	mh100.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe
File created	C:\Windows\SysWOW64\mh100.exe	mh100.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mh100.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
3068	mh100.exe
3068	mh100.exe
3068	mh100.exe
3068	mh100.exe
768	mh100.exe
768	mh100.exe
768	mh100.exe
768	mh100.exe
2812	mh100.exe
2812	mh100.exe
2812	mh100.exe
2812	mh100.exe
3008	mh100.exe
3008	mh100.exe
3008	mh100.exe
3008	mh100.exe
2772	mh100.exe
2772	mh100.exe
2772	mh100.exe
2772	mh100.exe
2748	mh100.exe
2748	mh100.exe
2748	mh100.exe
2748	mh100.exe
2732	mh100.exe
2732	mh100.exe
2732	mh100.exe
2732	mh100.exe
2096	mh100.exe
2096	mh100.exe
2096	mh100.exe
2096	mh100.exe
1664	mh100.exe
1664	mh100.exe
1664	mh100.exe
1664	mh100.exe
2116	mh100.exe
2116	mh100.exe
2116	mh100.exe
2116	mh100.exe
2904	mh100.exe
2904	mh100.exe
2904	mh100.exe
2904	mh100.exe
2912	mh100.exe
2912	mh100.exe
2912	mh100.exe
2912	mh100.exe
236	mh100.exe
236	mh100.exe
236	mh100.exe
236	mh100.exe
1472	mh100.exe
1472	mh100.exe
1472	mh100.exe
1472	mh100.exe
2708	mh100.exe
2708	mh100.exe
2708	mh100.exe
2708	mh100.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 3068	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	30
PID 900 wrote to memory of 3068	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	30
PID 900 wrote to memory of 3068	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	30
PID 900 wrote to memory of 3068	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	30
PID 900 wrote to memory of 2512	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	31
PID 900 wrote to memory of 2512	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	31
PID 900 wrote to memory of 2512	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	31
PID 900 wrote to memory of 2512	900	afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe	31
PID 3068 wrote to memory of 768	3068	mh100.exe	33
PID 3068 wrote to memory of 768	3068	mh100.exe	33
PID 3068 wrote to memory of 768	3068	mh100.exe	33
PID 3068 wrote to memory of 768	3068	mh100.exe	33
PID 3068 wrote to memory of 2720	3068	mh100.exe	34
PID 3068 wrote to memory of 2720	3068	mh100.exe	34
PID 3068 wrote to memory of 2720	3068	mh100.exe	34
PID 3068 wrote to memory of 2720	3068	mh100.exe	34
PID 768 wrote to memory of 2812	768	mh100.exe	36
PID 768 wrote to memory of 2812	768	mh100.exe	36
PID 768 wrote to memory of 2812	768	mh100.exe	36
PID 768 wrote to memory of 2812	768	mh100.exe	36
PID 768 wrote to memory of 2860	768	mh100.exe	37
PID 768 wrote to memory of 2860	768	mh100.exe	37
PID 768 wrote to memory of 2860	768	mh100.exe	37
PID 768 wrote to memory of 2860	768	mh100.exe	37
PID 2812 wrote to memory of 3008	2812	mh100.exe	39
PID 2812 wrote to memory of 3008	2812	mh100.exe	39
PID 2812 wrote to memory of 3008	2812	mh100.exe	39
PID 2812 wrote to memory of 3008	2812	mh100.exe	39
PID 2812 wrote to memory of 2896	2812	mh100.exe	40
PID 2812 wrote to memory of 2896	2812	mh100.exe	40
PID 2812 wrote to memory of 2896	2812	mh100.exe	40
PID 2812 wrote to memory of 2896	2812	mh100.exe	40
PID 3008 wrote to memory of 2772	3008	mh100.exe	42
PID 3008 wrote to memory of 2772	3008	mh100.exe	42
PID 3008 wrote to memory of 2772	3008	mh100.exe	42
PID 3008 wrote to memory of 2772	3008	mh100.exe	42
PID 3008 wrote to memory of 2636	3008	mh100.exe	43
PID 3008 wrote to memory of 2636	3008	mh100.exe	43
PID 3008 wrote to memory of 2636	3008	mh100.exe	43
PID 3008 wrote to memory of 2636	3008	mh100.exe	43
PID 2772 wrote to memory of 2748	2772	mh100.exe	45
PID 2772 wrote to memory of 2748	2772	mh100.exe	45
PID 2772 wrote to memory of 2748	2772	mh100.exe	45
PID 2772 wrote to memory of 2748	2772	mh100.exe	45
PID 2772 wrote to memory of 2656	2772	mh100.exe	46
PID 2772 wrote to memory of 2656	2772	mh100.exe	46
PID 2772 wrote to memory of 2656	2772	mh100.exe	46
PID 2772 wrote to memory of 2656	2772	mh100.exe	46
PID 2748 wrote to memory of 2732	2748	mh100.exe	49
PID 2748 wrote to memory of 2732	2748	mh100.exe	49
PID 2748 wrote to memory of 2732	2748	mh100.exe	49
PID 2748 wrote to memory of 2732	2748	mh100.exe	49
PID 2748 wrote to memory of 2100	2748	mh100.exe	50
PID 2748 wrote to memory of 2100	2748	mh100.exe	50
PID 2748 wrote to memory of 2100	2748	mh100.exe	50
PID 2748 wrote to memory of 2100	2748	mh100.exe	50
PID 2732 wrote to memory of 2096	2732	mh100.exe	52
PID 2732 wrote to memory of 2096	2732	mh100.exe	52
PID 2732 wrote to memory of 2096	2732	mh100.exe	52
PID 2732 wrote to memory of 2096	2732	mh100.exe	52
PID 2732 wrote to memory of 664	2732	mh100.exe	53
PID 2732 wrote to memory of 664	2732	mh100.exe	53
PID 2732 wrote to memory of 664	2732	mh100.exe	53
PID 2732 wrote to memory of 664	2732	mh100.exe	53

C:\Users\Admin\AppData\Local\Temp\afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\mh100.exe
  C:\Windows\system32\mh100.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\mh100.exe
    C:\Windows\system32\mh100.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\mh100.exe
      C:\Windows\system32\mh100.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:236
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2172
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:684
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3020
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2548
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:568
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1096
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2692
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3060
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        36⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        37⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        43⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        44⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        48⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        53⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        56⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        58⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        60⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        61⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        64⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        66⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        67⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        69⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        70⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        71⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        72⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        73⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        74⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        75⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        77⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        78⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        81⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        82⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        83⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        84⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        85⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        86⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        88⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        89⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        91⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        93⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        94⤵
        
        PID:840
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        95⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        96⤵
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        97⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        100⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        101⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        104⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        105⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        106⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        108⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        109⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        110⤵
        
        PID:928
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        111⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        112⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        114⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        115⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        116⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        117⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        118⤵
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        120⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        121⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        124⤵
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        125⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        127⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        129⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        130⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        131⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        133⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        134⤵
        
        PID:752
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        135⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        136⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        137⤵
        
        PID:972
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        138⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        139⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        140⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        141⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        142⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        143⤵
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\mh100.exe
        
        C:\Windows\system32\mh100.exe
        144⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        144⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        143⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        141⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        140⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        139⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        138⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        137⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        136⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        135⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        134⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        133⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        131⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        130⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        129⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        128⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        126⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        125⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        123⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        122⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        121⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        120⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        119⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        118⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        117⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        116⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        115⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        113⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        111⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        110⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        108⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        107⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        106⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        105⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        104⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        102⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        101⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        100⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        99⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        98⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        97⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        96⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        95⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        93⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        91⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        90⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        88⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        87⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        85⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        84⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        83⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        82⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        81⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        80⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        79⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        78⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        77⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        75⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        74⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        72⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        70⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        68⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        67⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        66⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        65⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        64⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        62⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        61⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        60⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        59⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        57⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        56⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        55⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        54⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        52⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        51⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        48⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        47⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        46⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        45⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        44⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        43⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        42⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        40⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        39⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        37⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        36⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        35⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        34⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        33⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        31⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        30⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        29⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        28⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        27⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        26⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        25⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        24⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        23⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        22⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        21⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        20⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        18⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        16⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        15⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        14⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        12⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        11⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        10⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        9⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\mh100.exe"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\afb7fc5edc8dcdc3e746a823a3058fdc_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mh100.exe

Filesize
76KB

MD5
afb7fc5edc8dcdc3e746a823a3058fdc

SHA1
b93edf43f7d712a9ebc5435588206a84cb8cac8b

SHA256
dcc6864883f770c4ccaf486be9975ce581c5c3593df630c0df78b856f0c4c09d

SHA512
ed28b215c41a3d9b2b0620439f42ec0e510bdb2e2897fbed4bde4488cf2a65e628ca1c2a007fe193e85d40e11e628862a54c988b099e070a75d3000e9eb6dc1d

Download Submit
memory/2692-69-0x0000000076C60000-0x0000000076D7F000-memory.dmp

Filesize
1.1MB

Download
memory/2692-70-0x0000000076D80000-0x0000000076E7A000-memory.dmp

Filesize
1000KB

Download