pandastealer | 12ea95d36207191230b40421226f81333db636fc04e46b3459b914bb616e9550

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
Size

1.8MB
MD5

8a1a868a140dc10c47ceb377b764c9de
SHA1

467a1d1875b1e65140010687304c40c15a89b73a
SHA256

12ea95d36207191230b40421226f81333db636fc04e46b3459b914bb616e9550
SHA512

83995bd4dd5b13206b1af7b5402a3f5e5a115a47a426b63a2b151a10c54ce7fcf98aa701ef6d49f8de0fc20fd9414a22bdf56a90e0934e47e748c259a92b457b
SSDEEP

49152:0hzRz4om5ylz+PysnyKg+ol4MQSvuhTByHdcuvkQ1:YlzH0yxktyTWgoTBacuvkQ1

Score

10^/10

pandastealer aspackv2 discovery persistence stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002425b-40.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002425e-27.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe

Executes dropped EXE 64 IoCs

pid	Process
3420	cxfplay.exe
4520	cc.exe
2072	cc.exe
4604	cc.exe
1428	cc.exe
4536	cc.exe
3820	cc.exe
5148	cc.exe
3224	cc.exe
3964	cc.exe
2720	cc.exe
6100	cc.exe
2560	cc.exe
6052	cc.exe
5668	cc.exe
1300	cc.exe
5056	cc.exe
5576	cc.exe
4580	cc.exe
3488	cc.exe
2248	cc.exe
4608	cc.exe
4752	cc.exe
4636	cc.exe
3176	cc.exe
2312	cc.exe
3164	cc.exe
5248	cc.exe
2868	cc.exe
5168	cc.exe
3340	cc.exe
5960	cc.exe
1948	cc.exe
2376	cc.exe
5484	cc.exe
4584	cc.exe
4632	cc.exe
5504	cc.exe
1504	cc.exe
3924	cc.exe
812	cc.exe
1952	cc.exe
5032	cc.exe
5140	cc.exe
5716	cc.exe
4464	cc.exe
3892	cc.exe
4284	cc.exe
2604	cc.exe
1924	cc.exe
1412	cc.exe
3284	cc.exe
4456	cc.exe
4708	cc.exe
4532	cc.exe
5104	cc.exe
4128	cc.exe
5008	cc.exe
6092	cc.exe
3968	cc.exe
4920	cc.exe
6120	cc.exe
4052	cc.exe
4204	cc.exe

Loads dropped DLL 64 IoCs

pid	Process
3420	cxfplay.exe
4520	cc.exe
2072	cc.exe
4604	cc.exe
1428	cc.exe
4536	cc.exe
3820	cc.exe
5148	cc.exe
3224	cc.exe
3964	cc.exe
2720	cc.exe
6100	cc.exe
2560	cc.exe
6052	cc.exe
5668	cc.exe
1300	cc.exe
5056	cc.exe
5576	cc.exe
4580	cc.exe
3488	cc.exe
2248	cc.exe
4608	cc.exe
4752	cc.exe
4636	cc.exe
3176	cc.exe
2312	cc.exe
3164	cc.exe
5248	cc.exe
2868	cc.exe
5168	cc.exe
3340	cc.exe
5960	cc.exe
1948	cc.exe
2376	cc.exe
5484	cc.exe
4584	cc.exe
4632	cc.exe
5504	cc.exe
1504	cc.exe
3924	cc.exe
812	cc.exe
1952	cc.exe
5032	cc.exe
5140	cc.exe
5716	cc.exe
4464	cc.exe
3892	cc.exe
4284	cc.exe
2604	cc.exe
1924	cc.exe
1412	cc.exe
3284	cc.exe
4456	cc.exe
4708	cc.exe
4532	cc.exe
5104	cc.exe
4128	cc.exe
5008	cc.exe
6092	cc.exe
3968	cc.exe
4920	cc.exe
6120	cc.exe
4052	cc.exe
4204	cc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cc = "c:\\cc\\cc.exe"	cc.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240614468	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvnw.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvnw.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\cxfplay.exe	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\RichEditHandler.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\RichEditHandler.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvcore.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\yyxf_play.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\cxfplay.exe	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvcore.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\cc.dat	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\yyxf_play.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\RAViewerModule.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\RAViewerModule.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File created	C:\Windows\rvcomlib.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\rvcomlib.dll	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
File opened for modification	C:\Windows\cc.dat	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3420	cxfplay.exe
3420	cxfplay.exe
3420	cxfplay.exe
3420	cxfplay.exe
4520	cc.exe
4520	cc.exe
4520	cc.exe
4520	cc.exe
2072	cc.exe
2072	cc.exe
2072	cc.exe
2072	cc.exe
4604	cc.exe
4604	cc.exe
4604	cc.exe
4604	cc.exe
1428	cc.exe
1428	cc.exe
1428	cc.exe
1428	cc.exe
4536	cc.exe
4536	cc.exe
4536	cc.exe
4536	cc.exe
3820	cc.exe
3820	cc.exe
3820	cc.exe
3820	cc.exe
5148	cc.exe
5148	cc.exe
5148	cc.exe
5148	cc.exe
3224	cc.exe
3224	cc.exe
3224	cc.exe
3224	cc.exe
3964	cc.exe
3964	cc.exe
3964	cc.exe
3964	cc.exe
2720	cc.exe
2720	cc.exe
2720	cc.exe
2720	cc.exe
6100	cc.exe
6100	cc.exe
6100	cc.exe
6100	cc.exe
2560	cc.exe
2560	cc.exe
2560	cc.exe
2560	cc.exe
6052	cc.exe
6052	cc.exe
6052	cc.exe
6052	cc.exe
5668	cc.exe
5668	cc.exe
5668	cc.exe
5668	cc.exe
1300	cc.exe
1300	cc.exe
1300	cc.exe
1300	cc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	cxfplay.exe
Token: SeDebugPrivilege	4520	cc.exe
Token: SeDebugPrivilege	2072	cc.exe
Token: SeDebugPrivilege	4604	cc.exe
Token: SeDebugPrivilege	1428	cc.exe
Token: SeDebugPrivilege	4536	cc.exe
Token: SeDebugPrivilege	3820	cc.exe
Token: SeDebugPrivilege	5148	cc.exe
Token: SeDebugPrivilege	3224	cc.exe
Token: SeDebugPrivilege	3964	cc.exe
Token: SeDebugPrivilege	2720	cc.exe
Token: SeDebugPrivilege	6100	cc.exe
Token: SeDebugPrivilege	2560	cc.exe
Token: SeDebugPrivilege	6052	cc.exe
Token: SeDebugPrivilege	5668	cc.exe
Token: SeDebugPrivilege	1300	cc.exe
Token: SeDebugPrivilege	5056	cc.exe
Token: SeDebugPrivilege	5576	cc.exe
Token: SeDebugPrivilege	4580	cc.exe
Token: SeDebugPrivilege	3488	cc.exe
Token: SeDebugPrivilege	2248	cc.exe
Token: SeDebugPrivilege	4608	cc.exe
Token: SeDebugPrivilege	4752	cc.exe
Token: SeDebugPrivilege	4636	cc.exe
Token: SeDebugPrivilege	3176	cc.exe
Token: SeDebugPrivilege	2312	cc.exe
Token: SeDebugPrivilege	3164	cc.exe
Token: SeDebugPrivilege	5248	cc.exe
Token: SeDebugPrivilege	2868	cc.exe
Token: SeDebugPrivilege	5168	cc.exe
Token: SeDebugPrivilege	3340	cc.exe
Token: SeDebugPrivilege	5960	cc.exe
Token: SeDebugPrivilege	1948	cc.exe
Token: SeDebugPrivilege	2376	cc.exe
Token: SeDebugPrivilege	5484	cc.exe
Token: SeDebugPrivilege	4584	cc.exe
Token: SeDebugPrivilege	4632	cc.exe
Token: SeDebugPrivilege	5504	cc.exe
Token: SeDebugPrivilege	1504	cc.exe
Token: SeDebugPrivilege	3924	cc.exe
Token: SeDebugPrivilege	812	cc.exe
Token: SeDebugPrivilege	1952	cc.exe
Token: SeDebugPrivilege	5032	cc.exe
Token: SeDebugPrivilege	5140	cc.exe
Token: SeDebugPrivilege	5716	cc.exe
Token: SeDebugPrivilege	4464	cc.exe
Token: SeDebugPrivilege	3892	cc.exe
Token: SeDebugPrivilege	4284	cc.exe
Token: SeDebugPrivilege	2604	cc.exe
Token: SeDebugPrivilege	1924	cc.exe
Token: SeDebugPrivilege	1412	cc.exe
Token: SeDebugPrivilege	3284	cc.exe
Token: SeDebugPrivilege	4456	cc.exe
Token: SeDebugPrivilege	4708	cc.exe
Token: SeDebugPrivilege	4532	cc.exe
Token: SeDebugPrivilege	5104	cc.exe
Token: SeDebugPrivilege	4128	cc.exe
Token: SeDebugPrivilege	5008	cc.exe
Token: SeDebugPrivilege	6092	cc.exe
Token: SeDebugPrivilege	3968	cc.exe
Token: SeDebugPrivilege	4920	cc.exe
Token: SeDebugPrivilege	6120	cc.exe
Token: SeDebugPrivilege	4052	cc.exe
Token: SeDebugPrivilege	4204	cc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3420	cxfplay.exe
4520	cc.exe
2072	cc.exe
4604	cc.exe
1428	cc.exe
4536	cc.exe
3820	cc.exe
5148	cc.exe
3224	cc.exe
3964	cc.exe
2720	cc.exe
6100	cc.exe
2560	cc.exe
6052	cc.exe
5668	cc.exe
1300	cc.exe
5056	cc.exe
5576	cc.exe
4580	cc.exe
3488	cc.exe
2248	cc.exe
4608	cc.exe
4752	cc.exe
4636	cc.exe
3176	cc.exe
2312	cc.exe
3164	cc.exe
5248	cc.exe
2868	cc.exe
5168	cc.exe
3340	cc.exe
5960	cc.exe
1948	cc.exe
2376	cc.exe
5484	cc.exe
4584	cc.exe
4632	cc.exe
5504	cc.exe
1504	cc.exe
3924	cc.exe
812	cc.exe
1952	cc.exe
5032	cc.exe
5140	cc.exe
5716	cc.exe
4464	cc.exe
3892	cc.exe
4284	cc.exe
2604	cc.exe
1924	cc.exe
1412	cc.exe
3284	cc.exe
4456	cc.exe
4708	cc.exe
4532	cc.exe
5104	cc.exe
4128	cc.exe
5008	cc.exe
6092	cc.exe
3968	cc.exe
4920	cc.exe
6120	cc.exe
4052	cc.exe
4204	cc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3420	1212	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	89
PID 1212 wrote to memory of 3420	1212	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	89
PID 1212 wrote to memory of 3420	1212	JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe	89
PID 3420 wrote to memory of 4372	3420	cxfplay.exe	91
PID 3420 wrote to memory of 4372	3420	cxfplay.exe	91
PID 4320 wrote to memory of 4520	4320	cmd.exe	94
PID 4320 wrote to memory of 4520	4320	cmd.exe	94
PID 4320 wrote to memory of 4520	4320	cmd.exe	94
PID 4520 wrote to memory of 5712	4520	cc.exe	95
PID 4520 wrote to memory of 5712	4520	cc.exe	95
PID 4424 wrote to memory of 2072	4424	cmd.exe	98
PID 4424 wrote to memory of 2072	4424	cmd.exe	98
PID 4424 wrote to memory of 2072	4424	cmd.exe	98
PID 2072 wrote to memory of 4388	2072	cc.exe	99
PID 2072 wrote to memory of 4388	2072	cc.exe	99
PID 4592 wrote to memory of 4604	4592	cmd.exe	102
PID 4592 wrote to memory of 4604	4592	cmd.exe	102
PID 4592 wrote to memory of 4604	4592	cmd.exe	102
PID 4604 wrote to memory of 4716	4604	cc.exe	103
PID 4604 wrote to memory of 4716	4604	cc.exe	103
PID 4704 wrote to memory of 1428	4704	cmd.exe	106
PID 4704 wrote to memory of 1428	4704	cmd.exe	106
PID 4704 wrote to memory of 1428	4704	cmd.exe	106
PID 1428 wrote to memory of 3944	1428	cc.exe	107
PID 1428 wrote to memory of 3944	1428	cc.exe	107
PID 5908 wrote to memory of 4536	5908	cmd.exe	110
PID 5908 wrote to memory of 4536	5908	cmd.exe	110
PID 5908 wrote to memory of 4536	5908	cmd.exe	110
PID 4536 wrote to memory of 2428	4536	cc.exe	111
PID 4536 wrote to memory of 2428	4536	cc.exe	111
PID 5088 wrote to memory of 3820	5088	cmd.exe	114
PID 5088 wrote to memory of 3820	5088	cmd.exe	114
PID 5088 wrote to memory of 3820	5088	cmd.exe	114
PID 3820 wrote to memory of 3952	3820	cc.exe	115
PID 3820 wrote to memory of 3952	3820	cc.exe	115
PID 1620 wrote to memory of 5148	1620	cmd.exe	118
PID 1620 wrote to memory of 5148	1620	cmd.exe	118
PID 1620 wrote to memory of 5148	1620	cmd.exe	118
PID 5148 wrote to memory of 1168	5148	cc.exe	119
PID 5148 wrote to memory of 1168	5148	cc.exe	119
PID 5300 wrote to memory of 3224	5300	cmd.exe	122
PID 5300 wrote to memory of 3224	5300	cmd.exe	122
PID 5300 wrote to memory of 3224	5300	cmd.exe	122
PID 3224 wrote to memory of 1608	3224	cc.exe	123
PID 3224 wrote to memory of 1608	3224	cc.exe	123
PID 6072 wrote to memory of 3964	6072	cmd.exe	126
PID 6072 wrote to memory of 3964	6072	cmd.exe	126
PID 6072 wrote to memory of 3964	6072	cmd.exe	126
PID 3964 wrote to memory of 1772	3964	cc.exe	127
PID 3964 wrote to memory of 1772	3964	cc.exe	127
PID 4988 wrote to memory of 2720	4988	cmd.exe	130
PID 4988 wrote to memory of 2720	4988	cmd.exe	130
PID 4988 wrote to memory of 2720	4988	cmd.exe	130
PID 2720 wrote to memory of 1492	2720	cc.exe	131
PID 2720 wrote to memory of 1492	2720	cc.exe	131
PID 5188 wrote to memory of 6100	5188	cmd.exe	134
PID 5188 wrote to memory of 6100	5188	cmd.exe	134
PID 5188 wrote to memory of 6100	5188	cmd.exe	134
PID 6100 wrote to memory of 3736	6100	cc.exe	137
PID 6100 wrote to memory of 3736	6100	cc.exe	137
PID 3996 wrote to memory of 2560	3996	cmd.exe	140
PID 3996 wrote to memory of 2560	3996	cmd.exe	140
PID 3996 wrote to memory of 2560	3996	cmd.exe	140
PID 2560 wrote to memory of 2120	2560	cc.exe	142

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a1a868a140dc10c47ceb377b764c9de.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1212
- C:\windows\cxfplay.exe
  "C:\windows\cxfplay.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3420
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4520
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4604
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1428
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5908
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4536
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3820
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5148
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5300
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6072
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3964
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5188
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6100
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3560
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6052
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4440
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5668
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5708
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1300
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3252
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5056
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4532
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5576
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1780
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4580
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1768
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3488
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2096
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2248
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5396
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4608
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2396
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4752
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5328
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4636
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5008
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3176
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5336
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2312
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5568
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3164
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2192
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5248
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1456
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2868
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4152
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5168
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2888
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3340
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:544
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5960
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5792
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1948
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4352
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2376
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4392
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5484
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3988
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4584
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3152
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4632
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4688
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5504
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1164
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1504
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2228
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3924
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4760
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:812
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5448
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1952
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4268
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5032
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2816
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5140
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1284
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5716
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4224
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4464
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5364
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3892
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:408
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4284
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3964
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2604
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3708
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1924
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1176
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1412
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5508
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3284
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4864
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4456
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5600
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4708
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4504
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4532
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1504
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5104
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4876
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4128
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5352
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5008
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1900
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6092
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2004
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3968
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1484
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4920
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:408
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6120
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3964
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4052
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:116
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4204
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1212
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4368
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4380
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3988
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1736
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4668
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2704
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4356
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4056
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5712
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:8
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5104
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:776
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3484
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4268
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3436
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5328
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5032
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4780
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2096
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:2192
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4740
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5772
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:960
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3100
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5568
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5160
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1544
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4272
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:6116
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2376
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3016
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4776
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4660
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5668
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5996
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1780
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5824
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5656
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:772
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1920
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1060
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4324
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1888
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3904
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1580
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5088
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1952
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4604
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:776
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1492
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3484
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4460
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3436
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5488
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2152
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5672
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5772
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5628
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1976
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4384
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5568
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5944
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1544
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5872
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1532
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3572
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1300
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1480
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5880
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4444
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:6132
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2972
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4424
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4600
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5860
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4188
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5428
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5432
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4512
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1100
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3028
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4004
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5908
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1960
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3952
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4128
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2936
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2624
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5028
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:6020
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5640
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5064
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3652
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:960
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5672
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4816
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5628
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4044
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4384
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1956
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5548
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5872
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4840
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3844
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6120
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5400
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4732
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2644
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4176
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4660
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2892
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4976
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4704
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4792
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3188
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5576
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4652
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4760
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4492
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3076
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3028
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2988
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:6024
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2140
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3952
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1820
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2936
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2828
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5648
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5900
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:6020
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4576
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4224
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5580
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5672
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4856
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5628
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2336
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4520
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4296
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1260
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4612
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4564
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5872
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5184
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:2468
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:6116
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3260
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5400
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:6008
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4372
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:2588
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5260
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5484
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4976
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5684
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2928
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1040
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2704
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:788
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5964
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4188
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5232
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3496
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1684
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:972
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:556
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:760
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1928
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1144
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3912
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4344
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2096
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:32
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2560
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2660
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:676
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1948
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3892
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4552
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1448
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1372
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4288
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:6052
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5568
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3844
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3608
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3876
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4396
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:2644
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5792
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4060
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3824
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5784
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:704
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1120
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4436
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5712
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5832
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5396
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2328
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3924
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2188
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1748
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5028
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4992
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5072
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5464
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1888
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1772
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3952
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5300
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:6056
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3648
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3628
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3684
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4020
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1992
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:6012
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1896
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:6120
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:872
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5080
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4832
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3680
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4288
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3252
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3200
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1412
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4716
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2744
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2124
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5668
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:1824
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5452
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4380
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2596
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4372
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4648
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:6132
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5752
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2436
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4276
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1060
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2704
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5980
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1748
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3904
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4992
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2040
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1580
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3560
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1720
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2152
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2680
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5352
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4796
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4808
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5580
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3568
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:6012
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1544
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3256
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3228
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4456
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:844
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3208
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:2468
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:6112
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5624
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3356
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:2992
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4176
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4348
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:772
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4788
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5452
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3224
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2056
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4580
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:8
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:464
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:460
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:4704
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4212
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:3444
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5236
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4628
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:4188
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5448
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:184
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5356
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:776
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1888
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3628
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:3588
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:3100
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2660
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:5708
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:1948
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:1564
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:2816
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:872
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5948
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:516
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:732
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  - Adds Run key to start application
  PID:1544
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:632
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:5912
- - \??\c:\windows\explorer.exe
    c:\windows\explorer.exe
    3⤵
    PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\cc\cc.exe
1⤵
PID:5792
- \??\c:\cc\cc.exe
  c:\cc\cc.exe
  2⤵
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cxfplay.exe

Filesize
1.4MB

MD5
1094990dfd12238269e78bda2d3c2ae3

SHA1
11f2df2161a0a3203a626d35ab8fbb2e179642c5

SHA256
4acb7bea58429e8a545ccf15bf7033fc472566f49c139a068fb0daba0206151b

SHA512
bd3e2fb294fea015ae28bd78f261d291d3452c7291aea14136714a7a3c28fbbc2d26852a4f7f91068df7b2d9fd0cbd585d36c7faebb56767a90feda19910c367

Download Submit
C:\Windows\yyxf_play.dll

Filesize
352KB

MD5
7512d9837e5cebe31a47f1a400ac90ff

SHA1
e9d35167edb2fcac5f1cb3d4edafdd3f590e1e71

SHA256
2ef3024ea05d61d9353aad9b4496fd88ebf6e1df0765b650c45342ad0b58b5db

SHA512
cf1fd937d36b38a3c53585d524341d78ebea3f8e5731f1c33acb7531efae7b5ac35f6a373c604ad0ad04bb8f9411b8e78a08815bbd571ce24493a5bd39c51382

Download Submit
C:\windows\RAViewerModule.dll

Filesize
365KB

MD5
92acb83043ccffe56719ecbdbb092a66

SHA1
83623fc16ded4f0f78159cf76d8757739953d352

SHA256
ef27f7e567581d3e047c7f8350737eb2ab48508d4ebd8de17973cbeb2b2b0b50

SHA512
ba72407323436f674a9f63db7d508b96e64647afbee16b92327bbeac6846ba980b7cbcfd125134f30527bb8dc27610852e00d725f905580c8de8979c84d51323

Download Submit
C:\windows\RichEditHandler.dll

Filesize
81KB

MD5
7e6ddd4b25edc57b7f881e02c244714e

SHA1
ae5ebc627985d67873a55e801b12019ae42233c9

SHA256
58561ddc27c9a071ddc8a49e121face7b337f1a954afa3a92baeafed0d6d06cc

SHA512
00aeb20752268099011a8f1c3ce873b3f3f20b64ade8d19ef22a0877f7b6e469885fecb2e54b14ab6c521c9ec232960dbb5ddf219b9f5e9c006a51965897251c

Download Submit
C:\windows\cc.dat

Filesize
860KB

MD5
5a0f0482e44006b1f38edbde2ef6e11e

SHA1
9ba443ce3e71e0e63e198460514e32ee29ee5ed1

SHA256
6d63c0be51502d584018366d55967a28b08257faaeb610924231b28e026b89a0

SHA512
6dab61877ce90be2c86c495dbcb9f5a96c88a936dda1ec0db8618d258b02a45232d61c2412ca12040bc0f8a92bbd3ecaf4c0c1f901998cc9af5d4c9f2e6bd83a

Download Submit
C:\windows\rvcomlib.dll

Filesize
425KB

MD5
c52b22e50c23987bb3a1881ea29e352d

SHA1
8f38b3dfe06e9a2dbd9d209eb4114eaa334e4e36

SHA256
504c919e9806d4739e9985ca66ce8233027d0637adb4864e403a4f6aa930b174

SHA512
a44bc014549d44af59c13e7ea9c4f3a4126cb18d99a13619ca24c694b0d06678970d972526f84eed8ce4d76d0f2f9d710a4a65213589c4ac4e48e20986229c1b

Download Submit
C:\windows\rvcore.dll

Filesize
256KB

MD5
c43ee5a72e44b4bf97d4a1de2e6ffc63

SHA1
20ad68a2118a8816d44c1578780db5d2fcbb7aca

SHA256
4b6462504d263931594fb62167f73dea38176747cbe5cb4847f070b9aa9065bd

SHA512
e7d0e976e12c3e16659f133a0fa96b1a2732461194d61ae25932bb0420fa0ad29a9e859871349046f6c8d896f6055f72fec5ab166ac6c39cfa87a4d10bc69c8b

Download Submit
C:\windows\rvnw.dll

Filesize
397KB

MD5
b2f30d7414dc32fec99599f005aef947

SHA1
27fe258b373b1b9f1b1c103b6e2f1a9e0a8b56e1

SHA256
b94fe242c8ee5e7f740d35a86e56a2a9782ccd7721c9486630c8301eb408dc0e

SHA512
9cd8956f6c73a9537ecb623d3b02658be3741970263e72b7abb20be4b5f1a135dec3559442364279e9936ecf64aaa5d7eaa83cd88ae0fd126c41100197f9b877

Download Submit
memory/812-401-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1300-211-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1412-472-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-85-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-110-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-88-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-89-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-86-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1428-87-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1504-387-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1544-680-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1924-465-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1948-345-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/1952-408-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-69-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-74-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-73-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-72-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-71-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-70-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2072-91-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2192-651-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2228-623-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2248-257-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2312-294-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2376-352-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2560-183-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2604-457-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-165-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-140-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-141-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-142-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-144-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2720-143-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2868-316-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3016-694-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3164-301-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3176-287-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3224-146-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3284-463-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3284-479-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3340-331-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3340-314-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-33-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-31-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-30-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-29-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-32-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-66-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3420-28-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3456-665-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3488-248-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3512-588-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-128-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-107-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-104-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-108-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-105-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3820-106-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3892-443-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3924-394-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-131-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-133-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-134-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-132-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-156-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3964-135-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3968-522-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3968-539-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/3988-581-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4052-560-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4128-516-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4204-567-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4268-630-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4284-450-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4356-602-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4368-574-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4456-487-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4464-436-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-55-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-53-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-54-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-58-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-57-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-56-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4520-75-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4532-501-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4532-485-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-99-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-95-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-120-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-94-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-96-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-97-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4536-98-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4580-239-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4580-595-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4580-219-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4584-366-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-79-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-78-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-101-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-81-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-80-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4604-82-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4608-266-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4632-373-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4636-280-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4708-494-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4752-273-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4780-644-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/4920-546-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5008-507-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5008-524-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5032-415-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5056-200-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5056-221-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5104-509-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5104-616-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5140-422-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-118-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-114-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-117-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-113-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-115-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-137-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5148-116-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5168-324-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5248-308-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5328-637-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5484-359-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5504-380-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5568-673-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5576-230-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5668-202-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5712-609-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5716-429-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5772-658-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5960-321-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/5960-338-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6052-192-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6092-531-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6100-174-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6100-154-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6116-671-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6116-687-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6120-532-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/6120-553-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download