f436765ff183c0e9f274db6a0bb1a366743987215d8a9a10bed877f8997690ea

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
Size

199KB
MD5

9f0a556061374d6ddd189b0f487c3975
SHA1

bd97e50faa6eb660249cb4dbae2119c3d114b2d7
SHA256

f436765ff183c0e9f274db6a0bb1a366743987215d8a9a10bed877f8997690ea
SHA512

b7cdea247894b1bbd771a971dd7a5283107a58f109c173e42ee585a5e6cc24a278b0b33bfdd44a0582b757924ff98601c1c74a2753242200d7b9248ce91802c6
SSDEEP

3072:pI/TvP5e7E9XY92n2Az51uHuiSivnE4St1zqf0NlKx7k/dhm4t3hEV6:pI7vPBW9qbz5AHuRtb1+8Ngx7kPms3hB

Score

10^/10

discovery evasion execution persistence

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

tazebama.dl_

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

tazebama.dl_

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tazebama.dl_

Executes dropped EXE 64 IoCs

Processes:

tazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exe

pid	Process
2204	tazebama.dl_
2464	SVOHOST.exe
2792	tazebama.dl_
2932	SVOHOST.exe
980	tazebama.dl_
2004	SVOHOST.exe
2952	tazebama.dl_
1744	SVOHOST.exe
800	tazebama.dl_
2068	SVOHOST.exe
2152	tazebama.dl_
2248	SVOHOST.exe
2428	tazebama.dl_
1604	SVOHOST.exe
836	tazebama.dl_
2156	SVOHOST.exe
912	tazebama.dl_
596	SVOHOST.exe
1032	tazebama.dl_
556	SVOHOST.exe
2032	tazebama.dl_
992	SVOHOST.exe
888	tazebama.dl_
2252	SVOHOST.exe
1952	tazebama.dl_
2572	SVOHOST.exe
1700	tazebama.dl_
2500	SVOHOST.exe
2768	tazebama.dl_
2884	SVOHOST.exe
2936	tazebama.dl_
2660	SVOHOST.exe
2612	tazebama.dl_
2664	SVOHOST.exe
2672	tazebama.dl_
1288	SVOHOST.exe
2868	tazebama.dl_
1640	SVOHOST.exe
1996	tazebama.dl_
2844	SVOHOST.exe
768	tazebama.dl_
1860	SVOHOST.exe
1416	tazebama.dl_
2520	SVOHOST.exe
2200	tazebama.dl_
2360	SVOHOST.exe
2068	tazebama.dl_
856	SVOHOST.exe
448	tazebama.dl_
2436	SVOHOST.exe
2424	tazebama.dl_
1536	SVOHOST.exe
1660	tazebama.dl_
2076	SVOHOST.exe
1360	tazebama.dl_
2064	SVOHOST.exe
1172	tazebama.dl_
2192	SVOHOST.exe
2168	tazebama.dl_
1944	SVOHOST.exe
2252	tazebama.dl_
1700	SVOHOST.exe
2560	tazebama.dl_
3044	SVOHOST.exe

Loads dropped DLL 64 IoCs

Processes:

9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exeWerFault.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exe

pid	Process
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2464	SVOHOST.exe
2464	SVOHOST.exe
2464	SVOHOST.exe
2892	WerFault.exe
2464	SVOHOST.exe
2464	SVOHOST.exe
2932	SVOHOST.exe
2932	SVOHOST.exe
2932	SVOHOST.exe
2932	SVOHOST.exe
2932	SVOHOST.exe
2004	SVOHOST.exe
2004	SVOHOST.exe
2004	SVOHOST.exe
2004	SVOHOST.exe
2004	SVOHOST.exe
1744	SVOHOST.exe
1744	SVOHOST.exe
1744	SVOHOST.exe
1744	SVOHOST.exe
1744	SVOHOST.exe
2068	SVOHOST.exe
2068	SVOHOST.exe
2068	SVOHOST.exe
2068	SVOHOST.exe
2068	SVOHOST.exe
2248	SVOHOST.exe
2248	SVOHOST.exe
2248	SVOHOST.exe
2248	SVOHOST.exe
2248	SVOHOST.exe
1604	SVOHOST.exe
1604	SVOHOST.exe
1604	SVOHOST.exe
1604	SVOHOST.exe
1604	SVOHOST.exe
2156	SVOHOST.exe
2156	SVOHOST.exe
2156	SVOHOST.exe
2156	SVOHOST.exe
2156	SVOHOST.exe
596	SVOHOST.exe
596	SVOHOST.exe
596	SVOHOST.exe
596	SVOHOST.exe
596	SVOHOST.exe
556	SVOHOST.exe
556	SVOHOST.exe
556	SVOHOST.exe
556	SVOHOST.exe
556	SVOHOST.exe
992	SVOHOST.exe
992	SVOHOST.exe
992	SVOHOST.exe
992	SVOHOST.exe
992	SVOHOST.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe"	SVOHOST.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_

description	ioc	Process
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops autorun.inf file 1 TTPs 18 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_tazebama.dl_

description	ioc	Process
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	tazebama.dl_

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File created	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\SVOHOST.exe	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\noruns.reg	SVOHOST.exe
File opened for modification	C:\Windows\SysWOW64\winscok.dll	SVOHOST.exe

Drops file in Program Files directory 64 IoCs

Processes:

tazebama.dl_tazebama.dl_

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\BR.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\GU.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\PL.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\PS.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\STATIONERY\STARS.HTM	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\JAWT.H	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\JVMTI.H	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\README.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\KO.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\KU.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\INTERNET EXPLORER\TIMELINE.CPU.XML	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\JNI.H	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\OUTLOOK.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\MNG.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\PT-BR.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\UG.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\KU-CKB.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\CS.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\DE.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\SQ.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\JDWPTRANSPORT.H	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\AN.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\HE.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\JVMTICMLR.H	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\HISTORY.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\LT.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\MNG2.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\THIRDPARTYLICENSEREADME.TXT	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\SI.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\SR-SPL.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JVISUALVM.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\KK.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\EO.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\BG.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\GA.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\STATIONERY\GREEN BUBBLES.HTM	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\EXT.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\SL.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\TG.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\TR.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\ES.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\FUR.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\NL.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOINSTALLER.CONFIG	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\DVD MAKER\OFFSET.AX	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\INCLUDE\WIN32\JAWT_MD.H	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\CA.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\JA.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\TK.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\106.0.5249.119\WIDEVINECDM\_PLATFORM_SPECIFIC	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\DB\README-JDK.HTML	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\README.TXT	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LICENSE.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\HU.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\MR.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\PT.TXT	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\DA.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\FI.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\LANG\ID.TXT	tazebama.dl_
File opened for modification	C:\PROGRAM FILES\7-ZIP\7-ZIP.CHM	tazebama.dl_

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2076	sc.exe
2472	sc.exe
2612	sc.exe
2560	sc.exe
2356	sc.exe
2520	sc.exe
2648	sc.exe
1436	sc.exe
1288	sc.exe
3000	sc.exe
2004	sc.exe
2636	sc.exe
1556	sc.exe
2264	sc.exe
1784	sc.exe
2568	sc.exe
708	sc.exe
1548	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2892	2204	WerFault.exe	30
2408	2200	WerFault.exe	76
1368	316	WerFault.exe	117
1144	2600	WerFault.exe	154
2496	1664	WerFault.exe	185
1028	2684	WerFault.exe	341

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SVOHOST.exeSVOHOST.exeSVOHOST.exesc.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exesc.exeSVOHOST.exeSVOHOST.exeSVOHOST.exenet1.exenet1.exeSVOHOST.exeSVOHOST.exesc.exeSVOHOST.exesc.exenet1.exenet1.exeSVOHOST.exeSVOHOST.exesc.exeSVOHOST.exetazebama.dl_SVOHOST.exeSVOHOST.exenet1.exenet1.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exesc.exenet.exeSVOHOST.exetazebama.dl_SVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exesc.exenet1.exeSVOHOST.exetazebama.dl_

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tazebama.dl_
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tazebama.dl_
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVOHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tazebama.dl_

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
1996	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tazebama.dl_9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_SVOHOST.exetazebama.dl_

pid	Process
2204	tazebama.dl_
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
2792	tazebama.dl_
2464	SVOHOST.exe
2464	SVOHOST.exe
980	tazebama.dl_
2932	SVOHOST.exe
2932	SVOHOST.exe
2952	tazebama.dl_
2004	SVOHOST.exe
2004	SVOHOST.exe
800	tazebama.dl_
1744	SVOHOST.exe
1744	SVOHOST.exe
2152	tazebama.dl_
2068	SVOHOST.exe
2068	SVOHOST.exe
2428	tazebama.dl_
2248	SVOHOST.exe
2248	SVOHOST.exe
836	tazebama.dl_
1604	SVOHOST.exe
1604	SVOHOST.exe
912	tazebama.dl_
2156	SVOHOST.exe
2156	SVOHOST.exe
1032	tazebama.dl_
596	SVOHOST.exe
596	SVOHOST.exe
2032	tazebama.dl_
556	SVOHOST.exe
556	SVOHOST.exe
888	tazebama.dl_
992	SVOHOST.exe
992	SVOHOST.exe
1952	tazebama.dl_
2252	SVOHOST.exe
2252	SVOHOST.exe
1700	tazebama.dl_
2572	SVOHOST.exe
2572	SVOHOST.exe
2768	tazebama.dl_
2500	SVOHOST.exe
2500	SVOHOST.exe
2936	tazebama.dl_
2884	SVOHOST.exe
2884	SVOHOST.exe
2612	tazebama.dl_
2660	SVOHOST.exe
2660	SVOHOST.exe
2672	tazebama.dl_
2664	SVOHOST.exe
2664	SVOHOST.exe
2868	tazebama.dl_
1288	SVOHOST.exe
1288	SVOHOST.exe
1996	tazebama.dl_
1640	SVOHOST.exe
1640	SVOHOST.exe
768	tazebama.dl_
2844	SVOHOST.exe
2844	SVOHOST.exe
1416	tazebama.dl_

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exetazebama.dl_SVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exeSVOHOST.exe

description	pid	Process	procid_target
PID 2512 wrote to memory of 2204	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2204	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2204	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2204	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2892	2204	tazebama.dl_	31
PID 2204 wrote to memory of 2892	2204	tazebama.dl_	31
PID 2204 wrote to memory of 2892	2204	tazebama.dl_	31
PID 2204 wrote to memory of 2892	2204	tazebama.dl_	31
PID 2512 wrote to memory of 2464	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2464	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2464	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2464	2512	9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2792	2464	SVOHOST.exe	33
PID 2464 wrote to memory of 2792	2464	SVOHOST.exe	33
PID 2464 wrote to memory of 2792	2464	SVOHOST.exe	33
PID 2464 wrote to memory of 2792	2464	SVOHOST.exe	33
PID 2464 wrote to memory of 2932	2464	SVOHOST.exe	34
PID 2464 wrote to memory of 2932	2464	SVOHOST.exe	34
PID 2464 wrote to memory of 2932	2464	SVOHOST.exe	34
PID 2464 wrote to memory of 2932	2464	SVOHOST.exe	34
PID 2932 wrote to memory of 980	2932	SVOHOST.exe	35
PID 2932 wrote to memory of 980	2932	SVOHOST.exe	35
PID 2932 wrote to memory of 980	2932	SVOHOST.exe	35
PID 2932 wrote to memory of 980	2932	SVOHOST.exe	35
PID 2932 wrote to memory of 2004	2932	SVOHOST.exe	36
PID 2932 wrote to memory of 2004	2932	SVOHOST.exe	36
PID 2932 wrote to memory of 2004	2932	SVOHOST.exe	36
PID 2932 wrote to memory of 2004	2932	SVOHOST.exe	36
PID 2004 wrote to memory of 2952	2004	SVOHOST.exe	37
PID 2004 wrote to memory of 2952	2004	SVOHOST.exe	37
PID 2004 wrote to memory of 2952	2004	SVOHOST.exe	37
PID 2004 wrote to memory of 2952	2004	SVOHOST.exe	37
PID 2004 wrote to memory of 1744	2004	SVOHOST.exe	38
PID 2004 wrote to memory of 1744	2004	SVOHOST.exe	38
PID 2004 wrote to memory of 1744	2004	SVOHOST.exe	38
PID 2004 wrote to memory of 1744	2004	SVOHOST.exe	38
PID 1744 wrote to memory of 800	1744	SVOHOST.exe	39
PID 1744 wrote to memory of 800	1744	SVOHOST.exe	39
PID 1744 wrote to memory of 800	1744	SVOHOST.exe	39
PID 1744 wrote to memory of 800	1744	SVOHOST.exe	39
PID 1744 wrote to memory of 2068	1744	SVOHOST.exe	40
PID 1744 wrote to memory of 2068	1744	SVOHOST.exe	40
PID 1744 wrote to memory of 2068	1744	SVOHOST.exe	40
PID 1744 wrote to memory of 2068	1744	SVOHOST.exe	40
PID 2068 wrote to memory of 2152	2068	SVOHOST.exe	41
PID 2068 wrote to memory of 2152	2068	SVOHOST.exe	41
PID 2068 wrote to memory of 2152	2068	SVOHOST.exe	41
PID 2068 wrote to memory of 2152	2068	SVOHOST.exe	41
PID 2068 wrote to memory of 2248	2068	SVOHOST.exe	42
PID 2068 wrote to memory of 2248	2068	SVOHOST.exe	42
PID 2068 wrote to memory of 2248	2068	SVOHOST.exe	42
PID 2068 wrote to memory of 2248	2068	SVOHOST.exe	42
PID 2248 wrote to memory of 2428	2248	SVOHOST.exe	43
PID 2248 wrote to memory of 2428	2248	SVOHOST.exe	43
PID 2248 wrote to memory of 2428	2248	SVOHOST.exe	43
PID 2248 wrote to memory of 2428	2248	SVOHOST.exe	43
PID 2248 wrote to memory of 1604	2248	SVOHOST.exe	44
PID 2248 wrote to memory of 1604	2248	SVOHOST.exe	44
PID 2248 wrote to memory of 1604	2248	SVOHOST.exe	44
PID 2248 wrote to memory of 1604	2248	SVOHOST.exe	44
PID 1604 wrote to memory of 836	1604	SVOHOST.exe	45
PID 1604 wrote to memory of 836	1604	SVOHOST.exe	45
PID 1604 wrote to memory of 836	1604	SVOHOST.exe	45
PID 1604 wrote to memory of 836	1604	SVOHOST.exe	45

C:\Users\Admin\AppData\Local\Temp\9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 320
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2892
- C:\Windows\SysWOW64\SVOHOST.exe
  "C:\Windows\system32\SVOHOST.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- - C:\Windows\SysWOW64\SVOHOST.exe
    "C:\Windows\system32\SVOHOST.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:980
  - - C:\Windows\SysWOW64\SVOHOST.exe
      "C:\Windows\system32\SVOHOST.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
    - - C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
      - C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        22⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        24⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 324
        25⤵
        Program crash
        
        PID:2408
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        24⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        25⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        25⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        26⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        27⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        27⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        28⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2076
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        29⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        30⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        31⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        32⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        33⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        34⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        34⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        35⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        35⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        36⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        36⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        37⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        37⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2972
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        38⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        39⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        39⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1968
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        40⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        40⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2264
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        41⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        41⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2184
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        42⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        42⤵
        
        PID:2600
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        43⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        43⤵
        Adds Run key to start application
        
        PID:380
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        44⤵
        Enumerates connected drives
        Drops autorun.inf file
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 320
        45⤵
        Program crash
        
        PID:1368
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        45⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        45⤵
        Drops file in System32 directory
        
        PID:1900
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        46⤵
        
        PID:780
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        47⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        47⤵
        Adds Run key to start application
        
        PID:2556
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        48⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        48⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2192
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        49⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        49⤵
        
        PID:1944
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        50⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        51⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        51⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        52⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        52⤵
        Adds Run key to start application
        
        PID:2796
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        53⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        53⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        54⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        54⤵
        Adds Run key to start application
        
        PID:848
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        55⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        55⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1396
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        56⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        57⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        58⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        58⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        59⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        59⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1204
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        60⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        60⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2148
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        61⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        61⤵
        Adds Run key to start application
        
        PID:1920
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        62⤵
        Enumerates connected drives
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 320
        63⤵
        Program crash
        
        PID:1144
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        62⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        63⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        64⤵
        
        PID:872
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        64⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        65⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        65⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        66⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        66⤵
        
        PID:2388
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        67⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        68⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        68⤵
        Adds Run key to start application
        
        PID:2976
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        69⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        69⤵
        Adds Run key to start application
        
        PID:2884
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        70⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2788
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        71⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        71⤵
        Drops file in System32 directory
        
        PID:560
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        72⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        73⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        74⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        75⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        75⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        76⤵
        
        PID:800
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        77⤵
        Enumerates connected drives
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 320
        78⤵
        Program crash
        
        PID:2496
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1888
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        78⤵
        
        PID:708
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        78⤵
        
        PID:1696
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        79⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        80⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        80⤵
        
        PID:1564
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        81⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        81⤵
        
        PID:2076
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        82⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        82⤵
        
        PID:2528
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        83⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        83⤵
        
        PID:2328
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        84⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        84⤵
        
        PID:1628
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        85⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        86⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        86⤵
        Adds Run key to start application
        
        PID:2500
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        87⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        87⤵
        Adds Run key to start application
        
        PID:2784
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        88⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        88⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        89⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2464
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        90⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        91⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        91⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2980
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        92⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        93⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        93⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        94⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        94⤵
        Adds Run key to start application
        
        PID:1144
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        95⤵
        
        PID:800
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        95⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        96⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        97⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        97⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        98⤵
        
        PID:956
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        98⤵
        
        PID:2428
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        99⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        99⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        100⤵
        Enumerates connected drives
        Drops autorun.inf file
        Drops file in Program Files directory
        
        PID:1636
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        100⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:880
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        101⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        102⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        102⤵
        Adds Run key to start application
        
        PID:2712
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        103⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        103⤵
        
        PID:1728
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        104⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        105⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        105⤵
        Adds Run key to start application
        
        PID:2464
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        106⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        106⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        107⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        108⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        108⤵
        Drops file in System32 directory
        
        PID:996
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        109⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        109⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        110⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        110⤵
        
        PID:1764
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        111⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        111⤵
        
        PID:952
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        112⤵
        
        PID:904
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        113⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        113⤵
        
        PID:1472
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        114⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        114⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        115⤵
        
        PID:536
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        115⤵
        
        PID:2284
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        116⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        116⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2100
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        117⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        117⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:892
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        118⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        118⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        119⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        119⤵
        
        PID:2656
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        120⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        120⤵
        Adds Run key to start application
        
        PID:2788
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        121⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        122⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        122⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        123⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        123⤵
        
        PID:2132
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        124⤵
        
        PID:380
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        124⤵
        Adds Run key to start application
        
        PID:316
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        125⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        125⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1888
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        126⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        127⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        128⤵
        
        PID:296
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        128⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:284
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        129⤵
        
        PID:872
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        129⤵
        Adds Run key to start application
        
        PID:780
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        130⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        130⤵
        
        PID:2556
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        131⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        131⤵
        
        PID:2764
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        132⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        132⤵
        Adds Run key to start application
        
        PID:1048
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        133⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        133⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        134⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        134⤵
        
        PID:2908
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        135⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        135⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        136⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        136⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2824
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        137⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        137⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1920
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        138⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        138⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        139⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        139⤵
        
        PID:1144
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        140⤵
        
        PID:380
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        140⤵
        
        PID:856
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        141⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        141⤵
        
        PID:1088
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        142⤵
        
        PID:836
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        142⤵
        Adds Run key to start application
        
        PID:2248
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        143⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        143⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2892
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        144⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        144⤵
        
        PID:2496
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        145⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        145⤵
        
        PID:340
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        146⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        146⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        147⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        147⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1900
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        148⤵
        
        PID:564
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        148⤵
        Adds Run key to start application
        
        PID:780
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        149⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        149⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        150⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        150⤵
        
        PID:2724
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        151⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        151⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        152⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        152⤵
        
        PID:2736
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        153⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        153⤵
        
        PID:3036
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        154⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\SVOHOST.exe
        
        "C:\Windows\system32\SVOHOST.exe"
        154⤵
        Adds Run key to start application
        
        PID:2684
        
        C:\Documents and Settings\tazebama.dl_
        
        "C:\Documents and Settings\tazebama.dl_"
        155⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 228
        155⤵
        Program crash
        
        PID:1028
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\system32\noruns.reg
        155⤵
        Runs .reg file with regedit
        
        PID:1996
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop srservice
        155⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop srservice
        156⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config srservice start= disabled
        155⤵
        Launches sc.exe
        
        PID:2076
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        155⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        156⤵
        
        PID:996
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVWSC
        155⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVWSC
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVWSC start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVSrvXP
        155⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVSrvXP
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop kavsvc
        155⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavsvc
        156⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config kavsvc start= disabled
        155⤵
        Launches sc.exe
        
        PID:2472
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop wscsvc
        155⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config wscsvc start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop SNDSrvc
        155⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SNDSrvc
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config SNDSrvc start= disabled
        155⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop ccProxy
        155⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ccProxy
        156⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config ccProxy start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop ccEvtMgr
        155⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ccEvtMgr
        156⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config ccEvtMgr start= disabled
        155⤵
        Launches sc.exe
        
        PID:2520
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop ccSetMgr
        155⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ccSetMgr
        156⤵
        
        PID:284
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config ccSetMgr start= disabled
        155⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop SPBBCSvc
        155⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SPBBCSvc
        156⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config SPBBCSvc start= disabled
        155⤵
        Launches sc.exe
        
        PID:2612
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop Symantec Core LC
        155⤵
        
        PID:916
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop Symantec Core LC
        156⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config Symantec Core LC start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop NPFMntor
        155⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NPFMntor
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config NPFMntor start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop MskService
        155⤵
        
        PID:236
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MskService
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config MskService start= disabled
        155⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop McTaskManager
        155⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McTaskManager
        156⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config McTaskManager start= disabled
        155⤵
        Launches sc.exe
        
        PID:1288
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop McShield
        155⤵
        
        PID:264
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McShield
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config McShield start= disabled
        155⤵
        Launches sc.exe
        
        PID:2568
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop McAfeeFramework
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop McAfeeFramework
        156⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config McAfeeFramework start= disabled
        155⤵
        Launches sc.exe
        
        PID:3000
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
        155⤵
        Launches sc.exe
        
        PID:2560
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsCCenter
        155⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsCCenter
        156⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
        155⤵
        Launches sc.exe
        
        PID:1548
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsRavMon
        155⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsRavMon
        156⤵
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
bead5e3c9043ed6f54d9270412c8a2f1

SHA1
9049987a3e6a0d73484c7444ff4b1442b0e3f749

SHA256
e620c65011d105cc3fdd941c919f4007a137230d139ecab46869b85ddddea6e6

SHA512
f984f62ae04e92a3021e9967ccd819e90292aee9da4a9461252bb4a5e69bec200e0b44cdc5d8b3dda071e7d0662360951bfd2d3c7606c79d4705e59d4a3ca043

Download Submit
C:\Documents and Settings\tazebama.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\README.html

Filesize
136B

MD5
1ca562aea2a0b9b55f6bf262d4ae62a9

SHA1
723e523d85be40d8dfa4e0138d4496f7ee29e6d7

SHA256
b55311d568626d5fd1d74b290f87d649d23260b25a2a4c6e73fbeb0f9462d6da

SHA512
ecf59c6de6402010acd366e928819df05152b633ce50470f93679870d490bf5b2d3ad2b3eb78d46518dfd5b2ac941c0babcb485e546c469080a4baba03ab685d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html

Filesize
921B

MD5
35dea6961c1f36a7a98d76b7650ae6f1

SHA1
4d8521213d41aa30035a1559843cb2d2bc1ec8e4

SHA256
acf9d9bf216c3e117801276a1a656ca0b2db58065f3db3fb029b594a67d7be76

SHA512
65971bf7a85b2beb9c7758f9a02229de0def1752bea285ec9774843eec694da8a15392c25d9cc449fab37dbb1a53edfadd0222c6c6dd182d8ac8a4a9db217d73

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
cf9d008aee69d32afd0e89f4e5802366

SHA1
1957abc6c3e68ecf265074d291fa712820aaabf9

SHA256
776ffb92561e8e8ac414613ad8134f64db5a48ebc442f42c6ffa03701731cf7a

SHA512
9f4b26ced1c989e52af01b4a89f96e94fa5d1afaae13641c425ef6e8a2661fc39504ebb4ec4658a815b2e5ebf9f9c810c2e9053a866c5cdcc69b7977ff8beb37

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
9ccd924199157b6b550384bca46b9de2

SHA1
7e0af53e556d4c74aa2e7c222b09fd7ffbf1aabf

SHA256
7212093aad9a87460e64b9f8be67d49ea23a6d0850c9d89f7912b30f9dab2bd0

SHA512
46c2e78a7817f9870886b639c6765e2e6650aec2e9021598e895f615d17374b86498a4cd02ff0f7f769c87b12b1c75016c8e124884ad8d9b321ed852af6d9209

Download Submit
C:\Windows\SysWOW64\noruns.reg

Filesize
122B

MD5
704f9f14e6c5b902de15f37bbb234bbc

SHA1
4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

SHA256
69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

SHA512
02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
362KB

MD5
66c21122e5f329fef0b923faa8b7ad7d

SHA1
86d7ea69e680025a311fd6cc80e0bba017fc63e2

SHA256
0158c67c25391f6f837e749e85e39af924bdb878ed71c57349fdfd6cc00e1ac9

SHA512
5d1875bdf8beefa5c004ce51bef684206acbfde066a155d02d93b1234890499a094cc83d38396fc7af2ed228efc1df22c06dd5a4064eb9f90824058c66c5a304

Download Submit
C:\vcredist2010_x64.log.html

Filesize
85KB

MD5
f8ca4ca683b491d00fcc0e55cc7bafd0

SHA1
aa555a2ea0d4eba8a161811ba031628e2e4f89d6

SHA256
4e84a30bb8054a2573e1aa7609363752e753118876de8cf4cebd392ed05a5b7e

SHA512
b6d82e9065cc1b8d962f4c0adf9d71bf7f17f857b189582e3ffa557c63f7513cd6037d034f2d8789a101756d5f81004a476fefa985881eeeaed5fced98b7d4fd

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
378KB

MD5
cb689e2d27bee75647140519c948b046

SHA1
341405291813b977721bd8c3fa1bdaf79c7a2178

SHA256
f0847b15421ccf595bbda57a2dd4e6806ab4046232bbb0a754db33092a6508e2

SHA512
6f81dbd06954f2ac89c164b39905e149688c5c1ca2b81a1b7e5f7a1d22987f3bd9acc25f617d5df1c66c807a385eb3ce1a5edf91c41419772ff965266f8a00dd

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
3e20039f83575f5faf66a77b75529d79

SHA1
fff397a52a1417acfe593f3ca1d0619df812321b

SHA256
3f5598a42b46c332576026e80cb012b35b85b3bad52282c49f1b52cb087edbc4

SHA512
cd28635cf73fcd7727c629e56345205e7070f1ad0807a21be7c913ca966f6dedb012fa0a8e6851f11179f2e79a68f782f221468074f19f22207317ae706b2f68

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\RCX2F98.tmp

Filesize
69KB

MD5
8ba404e90194c38541e324657e72f74c

SHA1
ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

SHA256
8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

SHA512
1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\S-1-5-21-2872745919-2748461613-2989606286-1000 .exe

Filesize
151KB

MD5
91a8bce779c8408d10955bfb8950b496

SHA1
f0ea5f0452ef811eee609fb8d49f19080c87571b

SHA256
92b20a051d9e95de7c2aaf1a5d78cdd914c8d1ea5e73a124c6b267b8d313ea08

SHA512
f345ae6d5c43a3efc9a8218d8fdfac398c4d7ad4210bb0ce3e8a65a5722106e404dfaabf8024db9bc5c5e8ada78504d2eed40828beba2857dbc1a23dfbdaeacc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\WinrRarSerialInstall.exe

Filesize
151KB

MD5
f529b0f248564d09e25e4b5e9512a1e6

SHA1
efa8a91c9d7a994cea1a80cd3a96dc02a16736c9

SHA256
c469346a0134de75110559132779768473662e46df00918737270f57234c5e8a

SHA512
b56409adf4e61add1293d20a815429fe36e3838ce17cae1fa34bb47a2565c582c3d50a9a6d18fad04b4e3b716bb03dec1e34ed8bfbba58f8cf2d2970b1ae3d58

Download Submit
F:\zPharaoh.exe

Filesize
151KB

MD5
556105b8e2e5f394394f35eaa52ef13a

SHA1
1d4bf6b4001acabb877de49b7302f9cb9e32acd1

SHA256
c6f8697d12862def6d373039ac29b2a1560a172ec08338231dd1098bc448c439

SHA512
2c89475b9a0f3285dc06dc38eb39ed379bd501484ac73131f5eb38feea84dc012f61e5bd294ab5e9b308a5eadd2260d7622077eaf1683798334f664152d9ca97

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
\Windows\SysWOW64\SVOHOST.exe

Filesize
199KB

MD5
9f0a556061374d6ddd189b0f487c3975

SHA1
bd97e50faa6eb660249cb4dbae2119c3d114b2d7

SHA256
f436765ff183c0e9f274db6a0bb1a366743987215d8a9a10bed877f8997690ea

SHA512
b7cdea247894b1bbd771a971dd7a5283107a58f109c173e42ee585a5e6cc24a278b0b33bfdd44a0582b757924ff98601c1c74a2753242200d7b9248ce91802c6

Download Submit
memory/556-222-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/556-218-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/556-221-0x0000000001F00000-0x0000000001F27000-memory.dmp

Filesize
156KB

Download
memory/596-214-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/596-210-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/768-306-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/800-148-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/836-190-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/856-348-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/856-353-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/912-201-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/992-227-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/992-231-0x0000000002090000-0x00000000020B7000-memory.dmp

Filesize
156KB

Download
memory/992-230-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1032-211-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-292-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1288-288-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1288-293-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1288-291-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1604-191-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1604-194-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1604-195-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1640-298-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1640-301-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1700-245-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1744-156-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1744-145-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/1744-154-0x00000000020C0000-0x00000000020E7000-memory.dmp

Filesize
156KB

Download
memory/1860-317-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1860-313-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/1860-314-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/2004-128-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2004-127-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2004-136-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-134-0x0000000001F60000-0x0000000001F87000-memory.dmp

Filesize
156KB

Download
memory/2032-217-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2068-175-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2068-342-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2068-173-0x0000000001EB0000-0x0000000001ED7000-memory.dmp

Filesize
156KB

Download
memory/2152-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-200-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2156-204-0x0000000002390000-0x00000000023B7000-memory.dmp

Filesize
156KB

Download
memory/2156-205-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2200-327-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2204-256-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2204-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2248-185-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2248-182-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2252-236-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2252-240-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2252-239-0x00000000020C0000-0x00000000020E7000-memory.dmp

Filesize
156KB

Download
memory/2360-345-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/2360-347-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2360-341-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2360-346-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/2428-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2464-82-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2464-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2464-87-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2464-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2464-83-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2464-85-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2464-94-0x0000000001ED0000-0x0000000001EF7000-memory.dmp

Filesize
156KB

Download
memory/2464-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2500-257-0x00000000022D0000-0x00000000022F7000-memory.dmp

Filesize
156KB

Download
memory/2500-258-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2512-14-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2512-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2512-15-0x000000000041B000-0x0000000000426000-memory.dmp

Filesize
44KB

Download
memory/2512-13-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2512-68-0x000000000041B000-0x0000000000426000-memory.dmp

Filesize
44KB

Download
memory/2512-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2512-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2512-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2512-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2520-321-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2520-326-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2520-325-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2520-336-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2572-249-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2572-246-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2612-274-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2660-273-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2660-277-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2664-285-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2672-282-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2792-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2844-310-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2844-307-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2884-264-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2884-267-0x00000000004F0000-0x0000000000517000-memory.dmp

Filesize
156KB

Download
memory/2884-268-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2884-260-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2932-113-0x0000000002070000-0x0000000002097000-memory.dmp

Filesize
156KB

Download
memory/2932-115-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2932-111-0x0000000002070000-0x0000000002097000-memory.dmp

Filesize
156KB

Download
memory/2952-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download