aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Size

130KB
MD5

fda298f72a1983e613b35cb3becd6ad3
SHA1

624d8e8c2a0967300cd784b426f2458c260c1ec0
SHA256

aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769
SHA512

bda59edc47edd9cc5ed7e3cf36f47cd6c09155e78071ac35898cfc8257137cfa0df2d3e47a7523bd0d627e2b707134d8fd62033acbc9551e6b2324083a824efe
SSDEEP

3072:Yq6jDD70ClF9yU0kT1mNL9j3FRnOatS2OULqLUe2Mnu:Yq6jDD7v79ytk0V9j1ROatCUcu

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	msdbgcli.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	msdbgcli.exe

Executes dropped EXE 64 IoCs

pid	Process
3088	msdbgcli.exe
2072	msdbgcli.exe
380	msdbgcli.exe
4616	msdbgcli.exe
3588	msdbgcli.exe
4872	msdbgcli.exe
904	msdbgcli.exe
4952	msdbgcli.exe
3680	msdbgcli.exe
4776	msdbgcli.exe
1976	msdbgcli.exe
1712	msdbgcli.exe
2496	msdbgcli.exe
1732	msdbgcli.exe
2868	msdbgcli.exe
712	msdbgcli.exe
336	msdbgcli.exe
4740	msdbgcli.exe
2496	msdbgcli.exe
4560	msdbgcli.exe
2840	msdbgcli.exe
2216	msdbgcli.exe
3460	msdbgcli.exe
4248	msdbgcli.exe
1268	msdbgcli.exe
1572	msdbgcli.exe
3364	msdbgcli.exe
228	msdbgcli.exe
3040	msdbgcli.exe
1532	msdbgcli.exe
4408	msdbgcli.exe
4264	msdbgcli.exe
1452	msdbgcli.exe
4828	msdbgcli.exe
1068	msdbgcli.exe
3088	msdbgcli.exe
5076	msdbgcli.exe
3436	msdbgcli.exe
2828	msdbgcli.exe
4228	msdbgcli.exe
1880	msdbgcli.exe
1204	msdbgcli.exe
1128	msdbgcli.exe
4168	msdbgcli.exe
428	msdbgcli.exe
1820	msdbgcli.exe
4144	msdbgcli.exe
2688	msdbgcli.exe
4500	msdbgcli.exe
1320	msdbgcli.exe
4060	msdbgcli.exe
1860	msdbgcli.exe
3584	msdbgcli.exe
2840	msdbgcli.exe
1848	msdbgcli.exe
3028	msdbgcli.exe
2080	msdbgcli.exe
1980	msdbgcli.exe
1476	msdbgcli.exe
1880	msdbgcli.exe
4720	msdbgcli.exe
2216	msdbgcli.exe
3040	msdbgcli.exe
1736	msdbgcli.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Debug Client = "msdbgcli.exe"	msdbgcli.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File opened for modification	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe
File created	C:\Windows\SysWOW64\msdbgcli.exe	msdbgcli.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4740-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4740-1-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/files/0x0009000000023582-7.dat	upx
behavioral2/memory/3088-38-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4740-40-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2072-47-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3088-46-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/380-54-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2072-53-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4616-61-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/380-60-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4616-67-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3588-68-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4872-75-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3588-74-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4872-81-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/904-82-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/904-88-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3680-95-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4952-94-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3680-101-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4776-102-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4776-108-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1976-109-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1712-116-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1976-115-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1712-122-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2496-128-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1732-134-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/712-141-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2868-140-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/712-147-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/336-148-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/336-154-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4740-155-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4740-161-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2496-167-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4560-173-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2216-180-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2840-179-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3460-186-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2216-185-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3460-190-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4248-194-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1268-198-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1572-201-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3364-205-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/228-206-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/228-210-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3040-214-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1532-218-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4408-219-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4408-223-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4264-224-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4264-228-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1452-232-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4828-236-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3088-241-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1068-240-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3088-245-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5076-249-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3436-253-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2828-254-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4228-260-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdbgcli.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdbgcli.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3088	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2072	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	380	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4616	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3588	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4872	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	904	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4952	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3680	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4776	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1976	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1712	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2496	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1732	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2868	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	712	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	336	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4740	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2496	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4560	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2840	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2216	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3460	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4248	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1268	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1572	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3364	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	228	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3040	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1532	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4408	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4264	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1452	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4828	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1068	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3088	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	5076	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3436	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2828	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4228	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1880	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1204	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1128	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4168	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	428	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1820	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4144	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2688	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4500	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1320	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4060	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1860	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3584	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2840	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1848	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3028	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2080	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1980	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1476	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	1880	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	4720	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	2216	msdbgcli.exe
Token: SeIncBasePriorityPrivilege	3040	msdbgcli.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3088	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	91
PID 4740 wrote to memory of 3088	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	91
PID 4740 wrote to memory of 3088	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	91
PID 4740 wrote to memory of 3504	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	92
PID 4740 wrote to memory of 3504	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	92
PID 4740 wrote to memory of 3504	4740	fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe	92
PID 3088 wrote to memory of 2072	3088	msdbgcli.exe	94
PID 3088 wrote to memory of 2072	3088	msdbgcli.exe	94
PID 3088 wrote to memory of 2072	3088	msdbgcli.exe	94
PID 3088 wrote to memory of 2504	3088	msdbgcli.exe	95
PID 3088 wrote to memory of 2504	3088	msdbgcli.exe	95
PID 3088 wrote to memory of 2504	3088	msdbgcli.exe	95
PID 2072 wrote to memory of 380	2072	msdbgcli.exe	97
PID 2072 wrote to memory of 380	2072	msdbgcli.exe	97
PID 2072 wrote to memory of 380	2072	msdbgcli.exe	97
PID 2072 wrote to memory of 2884	2072	msdbgcli.exe	98
PID 2072 wrote to memory of 2884	2072	msdbgcli.exe	98
PID 2072 wrote to memory of 2884	2072	msdbgcli.exe	98
PID 380 wrote to memory of 4616	380	msdbgcli.exe	100
PID 380 wrote to memory of 4616	380	msdbgcli.exe	100
PID 380 wrote to memory of 4616	380	msdbgcli.exe	100
PID 380 wrote to memory of 5068	380	msdbgcli.exe	101
PID 380 wrote to memory of 5068	380	msdbgcli.exe	101
PID 380 wrote to memory of 5068	380	msdbgcli.exe	101
PID 4616 wrote to memory of 3588	4616	msdbgcli.exe	103
PID 4616 wrote to memory of 3588	4616	msdbgcli.exe	103
PID 4616 wrote to memory of 3588	4616	msdbgcli.exe	103
PID 4616 wrote to memory of 920	4616	msdbgcli.exe	104
PID 4616 wrote to memory of 920	4616	msdbgcli.exe	104
PID 4616 wrote to memory of 920	4616	msdbgcli.exe	104
PID 3588 wrote to memory of 4872	3588	msdbgcli.exe	106
PID 3588 wrote to memory of 4872	3588	msdbgcli.exe	106
PID 3588 wrote to memory of 4872	3588	msdbgcli.exe	106
PID 3588 wrote to memory of 1712	3588	msdbgcli.exe	107
PID 3588 wrote to memory of 1712	3588	msdbgcli.exe	107
PID 3588 wrote to memory of 1712	3588	msdbgcli.exe	107
PID 4872 wrote to memory of 904	4872	msdbgcli.exe	112
PID 4872 wrote to memory of 904	4872	msdbgcli.exe	112
PID 4872 wrote to memory of 904	4872	msdbgcli.exe	112
PID 4872 wrote to memory of 2640	4872	msdbgcli.exe	113
PID 4872 wrote to memory of 2640	4872	msdbgcli.exe	113
PID 4872 wrote to memory of 2640	4872	msdbgcli.exe	113
PID 904 wrote to memory of 4952	904	msdbgcli.exe	115
PID 904 wrote to memory of 4952	904	msdbgcli.exe	115
PID 904 wrote to memory of 4952	904	msdbgcli.exe	115
PID 904 wrote to memory of 940	904	msdbgcli.exe	116
PID 904 wrote to memory of 940	904	msdbgcli.exe	116
PID 904 wrote to memory of 940	904	msdbgcli.exe	116
PID 4952 wrote to memory of 3680	4952	msdbgcli.exe	120
PID 4952 wrote to memory of 3680	4952	msdbgcli.exe	120
PID 4952 wrote to memory of 3680	4952	msdbgcli.exe	120
PID 4952 wrote to memory of 3776	4952	msdbgcli.exe	121
PID 4952 wrote to memory of 3776	4952	msdbgcli.exe	121
PID 4952 wrote to memory of 3776	4952	msdbgcli.exe	121
PID 3680 wrote to memory of 4776	3680	msdbgcli.exe	123
PID 3680 wrote to memory of 4776	3680	msdbgcli.exe	123
PID 3680 wrote to memory of 4776	3680	msdbgcli.exe	123
PID 3680 wrote to memory of 4748	3680	msdbgcli.exe	124
PID 3680 wrote to memory of 4748	3680	msdbgcli.exe	124
PID 3680 wrote to memory of 4748	3680	msdbgcli.exe	124
PID 4776 wrote to memory of 1976	4776	msdbgcli.exe	126
PID 4776 wrote to memory of 1976	4776	msdbgcli.exe	126
PID 4776 wrote to memory of 1976	4776	msdbgcli.exe	126
PID 4776 wrote to memory of 1384	4776	msdbgcli.exe	127

C:\Users\Admin\AppData\Local\Temp\fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda298f72a1983e613b35cb3becd6ad3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\msdbgcli.exe
  "C:\Windows\system32\msdbgcli.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\msdbgcli.exe
    "C:\Windows\system32\msdbgcli.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\msdbgcli.exe
      "C:\Windows\system32\msdbgcli.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        20⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        26⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        33⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        35⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        36⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        38⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        39⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        45⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        47⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        49⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        56⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        57⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        58⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        61⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        64⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        65⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        66⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        67⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        68⤵
        Checks computer location settings
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        69⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        71⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        73⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        74⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        75⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        76⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        79⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        
        PID:32
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        80⤵
        Drops file in Drivers directory
        
        PID:4104
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        81⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:428
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        84⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        86⤵
        Drops file in Drivers directory
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        87⤵
        Drops file in Drivers directory
        
        PID:4068
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        88⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        89⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        90⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        91⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        92⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        93⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        95⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        96⤵
        Checks computer location settings
        
        PID:2328
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        97⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        98⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        99⤵
        Drops file in Drivers directory
        
        PID:1880
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        101⤵
        Drops file in Drivers directory
        
        PID:2376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        102⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        103⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        105⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        106⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4560
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        107⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        108⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        109⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        110⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        112⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        113⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        115⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:348
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        116⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        117⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        118⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        119⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        120⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        121⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        122⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        123⤵
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        124⤵
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        125⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        126⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        127⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        130⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        131⤵
        Checks computer location settings
        
        PID:952
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        132⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        133⤵
        Drops file in Drivers directory
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        134⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2524
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        136⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        137⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        138⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3040
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        139⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1616
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        140⤵
        Checks computer location settings
        
        PID:380
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        141⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        142⤵
        Drops file in Drivers directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        143⤵
        Drops file in Drivers directory
        
        PID:3988
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        144⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        145⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        147⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        148⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        149⤵
        Adds Run key to start application
        
        PID:4044
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        150⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        151⤵
        Drops file in Drivers directory
        
        PID:388
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        152⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:4992
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        153⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4860
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        154⤵
        Drops file in Drivers directory
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        155⤵
        Drops file in Drivers directory
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        156⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        157⤵
        Adds Run key to start application
        
        PID:1380
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        158⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:3044
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        160⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\msdbgcli.exe
        
        "C:\Windows\system32\msdbgcli.exe"
        161⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        161⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        160⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        159⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        158⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        157⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        156⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        155⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        154⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        153⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        152⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        151⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        150⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        148⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        147⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        144⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        142⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        140⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        139⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        138⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        137⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        136⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        135⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        132⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        131⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        130⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        129⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        128⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        127⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        126⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        124⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        123⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        122⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        121⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        120⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        116⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        115⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        114⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        113⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        112⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        111⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        110⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        109⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        108⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        107⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        105⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        104⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        103⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        102⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        101⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        99⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        98⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        97⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        96⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        95⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        94⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        93⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        92⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        91⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        89⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        88⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        87⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        86⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        85⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        83⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        82⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        81⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        77⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        76⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        75⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        74⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        73⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        72⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        71⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        69⤵
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        67⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        66⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        65⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        64⤵
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        63⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        62⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        61⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        60⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        58⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        57⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        56⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        54⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        53⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        52⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        51⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        50⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        49⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        48⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        47⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        46⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        45⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        44⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        41⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        40⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        39⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        38⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        36⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        35⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        34⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        33⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        32⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        31⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        30⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        29⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        27⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        26⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        25⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        24⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        22⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        21⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        20⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        19⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        17⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        15⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        14⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        13⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        12⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        11⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        10⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        9⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        6⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
        5⤵
        
        PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\msdbgcli.exe > nul
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FDA298~1.EXE > nul
  2⤵
  PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msdbgcli.exe

Filesize
130KB

MD5
fda298f72a1983e613b35cb3becd6ad3

SHA1
624d8e8c2a0967300cd784b426f2458c260c1ec0

SHA256
aaefbc297b57228834cc15f2a9369ad46bc6ec9a5de09dab594b04e9f0637769

SHA512
bda59edc47edd9cc5ed7e3cf36f47cd6c09155e78071ac35898cfc8257137cfa0df2d3e47a7523bd0d627e2b707134d8fd62033acbc9551e6b2324083a824efe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
1eb5dbd7ebfd9f3605e67fedb176ae68

SHA1
21ca5827abb9be937aa664728d9c95abd44d8c15

SHA256
93609d43bed5439833ca9ec57bf9ae6ae9bc5e5bd2a1cf68340977c9b3f4b344

SHA512
d50e8f0d85e3e0c95b7081143e0ecac710a11ab7236bbdb0fc5ce5e2ab87f810b43ce6adf1d9df2a73059e10e581c65b15c17ff6238221b0ecb78004956e0356

Download Submit
memory/228-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/228-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/336-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/336-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/380-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/380-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/428-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/712-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/712-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/904-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/904-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1476-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1532-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1572-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1848-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1860-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1860-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2496-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2496-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3584-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3588-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3588-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4168-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4168-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4248-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-2-0x0000000000425000-0x0000000000443000-memory.dmp

Filesize
120KB

Download
memory/4740-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads