cycbot | 5428b0d1a7635a415eba28ee76fb577b2d0caa6d2c36d2308e0b2372872015dc

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
Size

484KB
MD5

97fe6db4a3c910d9d72b42a67cb134cb
SHA1

34f7776cade03b11cbdcc05f10e78b427a390c76
SHA256

5428b0d1a7635a415eba28ee76fb577b2d0caa6d2c36d2308e0b2372872015dc
SHA512

39036a7fe8f50220dcd7ea97e2b6a6235e2425523d942f4c49d9dc9f4193c4a2402e003483fc91d9901c6ddbe3628aaeffe8799be64a5694919558f413e01428
SSDEEP

12288:UP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:UPoBHch+uudKNffiv1aVSaPTeO

Score

10^/10

cycbot backdoor defense_evasion discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2188-96-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral2/memory/5524-148-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral2/memory/3476-205-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral2/memory/5524-256-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral2/memory/5524-508-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral2/memory/5524-543-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	V6oUpCF0mC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jaubev.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	V6oUpCF0mC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe

Executes dropped EXE 64 IoCs

pid	Process
4948	V6oUpCF0mC.exe
2156	jaubev.exe
3528	jaubev.exe
2320	ayhost.exe
3844	ayhost.exe
3476	byhost.exe
4544	byhost.exe
1460	jaubev.exe
3096	jaubev.exe
5524	cyhost.exe
2188	cyhost.exe
3076	jaubev.exe
5536	jaubev.exe
5096	jaubev.exe
3168	jaubev.exe
5980	jaubev.exe
3256	jaubev.exe
708	jaubev.exe
4784	jaubev.exe
2532	jaubev.exe
976	jaubev.exe
4664	jaubev.exe
3984	jaubev.exe
4496	jaubev.exe
3324	jaubev.exe
3936	jaubev.exe
3476	cyhost.exe
4856	jaubev.exe
4000	jaubev.exe
812	jaubev.exe
1968	jaubev.exe
2376	jaubev.exe
5536	jaubev.exe
5096	jaubev.exe
4932	jaubev.exe
5980	jaubev.exe
880	jaubev.exe
552	jaubev.exe
1328	jaubev.exe
5164	jaubev.exe
5440	jaubev.exe
2672	jaubev.exe
4196	jaubev.exe
5852	jaubev.exe
6060	jaubev.exe
2964	jaubev.exe
1460	jaubev.exe
3648	jaubev.exe
5484	jaubev.exe
6052	jaubev.exe
1560	jaubev.exe
4920	jaubev.exe
608	jaubev.exe
5496	jaubev.exe
1040	jaubev.exe
3184	jaubev.exe
3696	jaubev.exe
6084	jaubev.exe
5944	dyhost.exe
3048	jaubev.exe
3624	jaubev.exe
2336	jaubev.exe
3772	jaubev.exe
1956	jaubev.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /d"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /z"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /e"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /l"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /h"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /B"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /O"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /C"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /G"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /g"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /Y"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /W"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /P"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /j"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /S"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /J"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /v"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /R"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /Q"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /n"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /m"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /x"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /D"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /y"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /L"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /A"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /Z"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /y"	V6oUpCF0mC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /f"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /F"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /M"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /k"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /X"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /s"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /q"	jaubev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	cyhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /o"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /p"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /K"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /r"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /i"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /u"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /w"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /c"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /a"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /E"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /T"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /b"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /U"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /I"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /V"	jaubev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaubev = "C:\\Users\\Admin\\jaubev.exe /H"	jaubev.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
224	tasklist.exe
856	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 2320 set thread context of 3844	2320	ayhost.exe	103
PID 3476 set thread context of 4544	3476	byhost.exe	106
PID 4544 set thread context of 4856	4544	byhost.exe	107

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5108-7-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5108-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5108-6-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5108-89-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/2188-96-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/5524-148-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/3476-205-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/5524-256-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/5524-508-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/5108-518-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5524-543-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	cyhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaubev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	V6oUpCF0mC.exe
4948	V6oUpCF0mC.exe
4948	V6oUpCF0mC.exe
4948	V6oUpCF0mC.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
3844	ayhost.exe
2156	jaubev.exe
2156	jaubev.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	tasklist.exe
Token: SeDebugPrivilege	856	tasklist.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
4948	V6oUpCF0mC.exe
2156	jaubev.exe
3528	jaubev.exe
2320	ayhost.exe
3476	byhost.exe
1460	jaubev.exe
3096	jaubev.exe
3076	jaubev.exe
5536	jaubev.exe
5096	jaubev.exe
3168	jaubev.exe
5980	jaubev.exe
3256	jaubev.exe
708	jaubev.exe
4784	jaubev.exe
2532	jaubev.exe
976	jaubev.exe
4664	jaubev.exe
3984	jaubev.exe
4496	jaubev.exe
3324	jaubev.exe
3936	jaubev.exe
4856	jaubev.exe
4000	jaubev.exe
812	jaubev.exe
1968	jaubev.exe
2376	jaubev.exe
5536	jaubev.exe
5096	jaubev.exe
4932	jaubev.exe
5980	jaubev.exe
880	jaubev.exe
552	jaubev.exe
1328	jaubev.exe
5164	jaubev.exe
5440	jaubev.exe
2672	jaubev.exe
4196	jaubev.exe
5852	jaubev.exe
6060	jaubev.exe
2964	jaubev.exe
1460	jaubev.exe
3648	jaubev.exe
5484	jaubev.exe
6052	jaubev.exe
1560	jaubev.exe
4920	jaubev.exe
608	jaubev.exe
5496	jaubev.exe
1040	jaubev.exe
3184	jaubev.exe
3696	jaubev.exe
6084	jaubev.exe
5944	dyhost.exe
3048	jaubev.exe
3624	jaubev.exe
2336	jaubev.exe
3772	jaubev.exe
1956	jaubev.exe
2872	jaubev.exe
2316	jaubev.exe
2324	jaubev.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 4684 wrote to memory of 5108	4684	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	85
PID 5108 wrote to memory of 4948	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	89
PID 5108 wrote to memory of 4948	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	89
PID 5108 wrote to memory of 4948	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	89
PID 4948 wrote to memory of 2156	4948	V6oUpCF0mC.exe	95
PID 4948 wrote to memory of 2156	4948	V6oUpCF0mC.exe	95
PID 4948 wrote to memory of 2156	4948	V6oUpCF0mC.exe	95
PID 4948 wrote to memory of 4732	4948	V6oUpCF0mC.exe	98
PID 4948 wrote to memory of 4732	4948	V6oUpCF0mC.exe	98
PID 4948 wrote to memory of 4732	4948	V6oUpCF0mC.exe	98
PID 3520 wrote to memory of 3528	3520	cmd.exe	100
PID 3520 wrote to memory of 3528	3520	cmd.exe	100
PID 3520 wrote to memory of 3528	3520	cmd.exe	100
PID 4732 wrote to memory of 224	4732	cmd.exe	101
PID 4732 wrote to memory of 224	4732	cmd.exe	101
PID 4732 wrote to memory of 224	4732	cmd.exe	101
PID 5108 wrote to memory of 2320	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	102
PID 5108 wrote to memory of 2320	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	102
PID 5108 wrote to memory of 2320	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	102
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 2320 wrote to memory of 3844	2320	ayhost.exe	103
PID 5108 wrote to memory of 3476	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	105
PID 5108 wrote to memory of 3476	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	105
PID 5108 wrote to memory of 3476	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	105
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 3476 wrote to memory of 4544	3476	byhost.exe	106
PID 4544 wrote to memory of 4856	4544	byhost.exe	107
PID 4544 wrote to memory of 4856	4544	byhost.exe	107
PID 4544 wrote to memory of 4856	4544	byhost.exe	107
PID 2512 wrote to memory of 1460	2512	cmd.exe	113
PID 2512 wrote to memory of 1460	2512	cmd.exe	113
PID 2512 wrote to memory of 1460	2512	cmd.exe	113
PID 4744 wrote to memory of 3096	4744	cmd.exe	116
PID 4744 wrote to memory of 3096	4744	cmd.exe	116
PID 4744 wrote to memory of 3096	4744	cmd.exe	116
PID 5108 wrote to memory of 5524	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	117
PID 5108 wrote to memory of 5524	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	117
PID 5108 wrote to memory of 5524	5108	JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe	117
PID 5524 wrote to memory of 2188	5524	cyhost.exe	120
PID 5524 wrote to memory of 2188	5524	cyhost.exe	120
PID 5524 wrote to memory of 2188	5524	cyhost.exe	120
PID 3064 wrote to memory of 3076	3064	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\V6oUpCF0mC.exe
    C:\Users\Admin\V6oUpCF0mC.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\jaubev.exe
      "C:\Users\Admin\jaubev.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
- - C:\Users\Admin\ayhost.exe
    C:\Users\Admin\ayhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\ayhost.exe
      "C:\Users\Admin\ayhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3844
- - C:\Users\Admin\byhost.exe
    C:\Users\Admin\byhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\byhost.exe
      "C:\Users\Admin\byhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\explorer.exe
        
        000000D0*
        5⤵
        
        PID:4856
- - C:\Users\Admin\cyhost.exe
    C:\Users\Admin\cyhost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:3476
- - C:\Users\Admin\dyhost.exe
    C:\Users\Admin\dyhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_97fe6db4a3c910d9d72b42a67cb134cb.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5384
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /f
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Internet Explorer\lvvm.exe
1⤵
PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /F
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /F
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /I
1⤵
PID:4336
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /I
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /m
1⤵
PID:516
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /m
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:5244
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /x
1⤵
PID:4372
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /x
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:2828
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /D
1⤵
PID:4508
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /D
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
PID:608
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:652
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /w
1⤵
PID:5232
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
PID:5112
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /g
1⤵
PID:5988
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:5944
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /R
1⤵
PID:5020
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /R
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:2564
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Y
1⤵
PID:2412
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:5080
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:1140
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:1268
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /V
1⤵
PID:3988
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /V
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /m
1⤵
PID:1128
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /m
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /p
1⤵
PID:5952
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /p
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /g
1⤵
PID:3492
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /I
1⤵
PID:3712
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /I
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:1208
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /K
1⤵
PID:4056
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /K
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /M
1⤵
PID:5300
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /M
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
PID:4716
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /I
1⤵
PID:5496
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /L
1⤵
PID:3796
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /L
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:5944
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /k
1⤵
PID:6048
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Y
1⤵
PID:2336
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:2036
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /X
1⤵
PID:264
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /X
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:2824
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /W
1⤵
PID:3988
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /W
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /A
1⤵
PID:3720
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /A
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:4864
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:3892
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /E
1⤵
PID:5164
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /E
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /B
1⤵
PID:5448
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /B
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /P
1⤵
PID:4400
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /P
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:4664
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:4596
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:2980
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:4196
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /I
1⤵
PID:2728
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /I
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Z
1⤵
PID:1608
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:4168
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:2484
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:4408
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /D
1⤵
PID:876
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /D
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /k
1⤵
PID:2452
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /k
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:1032
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /D
1⤵
PID:5588
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /D
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:3988
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Y
1⤵
PID:4932
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Y
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:5228
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
PID:5444
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /V
1⤵
PID:712
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /V
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /M
1⤵
PID:4968
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /M
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /q
1⤵
PID:1508
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /q
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /O
1⤵
PID:2448
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /O
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:5904
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /x
1⤵
PID:5040
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /f
1⤵
PID:5836
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /f
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:6124
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /x
1⤵
PID:4648
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /x
  2⤵
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /p
1⤵
PID:5100
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /p
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:4960
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /g
1⤵
PID:6032
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:5808
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /q
1⤵
PID:1884
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /q
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:2524
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:5416
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /C
1⤵
PID:2976
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /C
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /W
1⤵
PID:4964
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /W
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:2112
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Y
1⤵
PID:3716
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Y
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /R
1⤵
PID:5848
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /R
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /d
1⤵
PID:5228
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /d
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:5048
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:4092
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /T
1⤵
PID:1692
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /j
1⤵
PID:816
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /j
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Q
1⤵
PID:4660
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Q
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:4648
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /k
1⤵
PID:4236
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /k
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /b
1⤵
PID:1500
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /b
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /d
1⤵
PID:5700
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /d
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:2464
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /P
1⤵
PID:4672
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /P
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /M
1⤵
PID:4408
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /M
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /T
1⤵
PID:1804
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /y
1⤵
PID:3452
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:2224
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /d
1⤵
PID:1568
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /f
1⤵
PID:6112
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /f
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:1668
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /k
1⤵
PID:5016
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /k
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:4508
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:5036
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /G
1⤵
PID:5164
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /G
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:5976
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /j
1⤵
PID:2692
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /j
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /r
1⤵
PID:3272
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:4936
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:4004
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /U
1⤵
PID:1424
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /U
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /A
1⤵
PID:4188
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /d
1⤵
PID:3040
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /d
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /m
1⤵
PID:6072
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /m
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /L
1⤵
PID:4048
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /L
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /r
1⤵
PID:1448
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /r
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /r
1⤵
PID:2872
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /r
  2⤵
  PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:2512
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:2412
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:5068
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:1116
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:4220
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:3576
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /j
1⤵
PID:5644
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /j
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /i
1⤵
PID:2224
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /i
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:3640
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /O
1⤵
PID:5156
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /O
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /P
1⤵
PID:5284
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /P
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /A
1⤵
PID:4336
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /A
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /b
1⤵
PID:864
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /b
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /p
1⤵
PID:4508
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /p
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:4368
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /P
1⤵
PID:5232
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /P
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:3260
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:5396
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /x
1⤵
PID:4720
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /R
1⤵
PID:3984
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /R
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /j
1⤵
PID:5476
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /j
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /d
1⤵
PID:4660
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /d
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:4788
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:6116
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /S
1⤵
PID:4656
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /S
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /D
1⤵
PID:2916
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /D
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /G
1⤵
PID:3032
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /G
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:2464
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:5080
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:404
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Y
1⤵
PID:4744
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Y
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:2644
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:5384
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /m
1⤵
PID:1224
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /m
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /X
1⤵
PID:3544
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /X
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:1928
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /h
1⤵
PID:6052
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /h
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:5228
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /n
1⤵
PID:1924
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /O
1⤵
PID:4056
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /O
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /U
1⤵
PID:5696
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /U
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /G
1⤵
PID:4448
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /G
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:6136
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /L
1⤵
PID:4368
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /L
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /s
1⤵
PID:2672
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /z
1⤵
PID:1376
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /z
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /q
1⤵
PID:2228
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /S
1⤵
PID:2028
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /S
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /J
1⤵
PID:5112
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /J
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Z
1⤵
PID:4580
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /B
1⤵
PID:3048
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /B
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /b
1⤵
PID:5872
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /b
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:3040
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:3656
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /C
1⤵
PID:4280
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /C
  2⤵
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Q
1⤵
PID:5856
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Q
  2⤵
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:1160
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /f
1⤵
PID:4364
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /B
1⤵
PID:5964
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /B
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Z
1⤵
PID:1724
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Z
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /C
1⤵
PID:3648
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /q
1⤵
PID:2644
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /V
1⤵
PID:5384
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /V
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /v
1⤵
PID:1096
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /Q
1⤵
PID:3932
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /Q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /v
1⤵
PID:640
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /v
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /D
1⤵
PID:4432
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /D
  2⤵
  PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:1328
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /E
1⤵
PID:1268
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /E
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /b
1⤵
PID:2044
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /i
1⤵
PID:4060
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /i
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /a
1⤵
PID:2008
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /a
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /c
1⤵
PID:2732
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /c
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /W
1⤵
PID:2392
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /W
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /V
1⤵
PID:5508
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /V
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /u
1⤵
PID:3704
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /u
  2⤵
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:4044
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /f
1⤵
PID:2728
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /T
1⤵
PID:3556
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:5912
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /A
1⤵
PID:2052
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /A
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /U
1⤵
PID:1120
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /U
  2⤵
  PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /A
1⤵
PID:5608
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /A
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /H
1⤵
PID:5544
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /H
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:3224
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /r
1⤵
PID:4552
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /r
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /b
1⤵
PID:2372
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /b
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /e
1⤵
PID:2888
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /e
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /K
1⤵
PID:4704
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /K
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /l
1⤵
PID:400
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /l
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /o
1⤵
PID:2644
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /o
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /p
1⤵
PID:3300
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /p
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /O
1⤵
PID:3228
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /O
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /C
1⤵
PID:5428
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /C
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\jaubev.exe /T
1⤵
PID:1568
- C:\Users\Admin\jaubev.exe
  C:\Users\Admin\jaubev.exe /T
  2⤵
  PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\65C3.55B

Filesize
600B

MD5
c37b7ae5ae9b34bca3ec4178d0f907b4

SHA1
f49f727b6cf72572afa44ffae701a7afc43f8bb4

SHA256
bcad7289ef35758567ad6fca8b13f9e735c5c828c2e717518be351e33b9464d5

SHA512
c4bcc3390c1a892a107f5c1ce4d434db7423605730b4732b27213884d3053b7d7af4ccf26d0e398ec5299dacd4c4e64ada1a8fc1c5cc6a3af5cb771b8a935aa4

Download Submit
C:\Users\Admin\AppData\Roaming\65C3.55B

Filesize
996B

MD5
175db0a1cac348a52ad11b927b97e968

SHA1
81cc4a5b4e2d21d36686775d8e58366bcd8458e7

SHA256
0fec39f42ed52e84ac4856f8ef46b40d09770d6554e85f9cf9e29abd691249fa

SHA512
a08037a16cb0245da790d69d03f9b91b66359be54c8be076ce9a392727f3fbb289eed6c239c0dbd274eeb22ecdbb8a6e41f459502384f5f3f7fcbb06242243fe

Download Submit
C:\Users\Admin\AppData\Roaming\65C3.55B

Filesize
1KB

MD5
395e5b97e8981bc7a1e93cd3a922979c

SHA1
f9b59e50fbc32c9efa97e21e849a6fe913d335f7

SHA256
a132496b9a072296f2db8c693b8eeb6736a88cdf98aa6bf2587a547fbdff0b12

SHA512
a159909624e8707fbc98d454e42cf06eb59bd15cf1287cc115f744ad1fa51a6b1366586b972478a6226b4a151cdb30ef176d5c14715907c5523f9a7eec1310b6

Download Submit
C:\Users\Admin\V6oUpCF0mC.exe

Filesize
332KB

MD5
b96dc0230580570446ab648e20a7e3b3

SHA1
27483df87ef7093d51062fb2d2fc9944f94c23fb

SHA256
2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

SHA512
b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

Download Submit
C:\Users\Admin\ayhost.exe

Filesize
68KB

MD5
2c7c2d4e9c03a1818621def0e1281a81

SHA1
c92b29a7f6e9998c7a86b9b57cff15f28647a127

SHA256
9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

SHA512
431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

Download Submit
C:\Users\Admin\byhost.exe

Filesize
136KB

MD5
1d0f81b6e185ec95e716d2a0b2ba69a1

SHA1
09399ffa69ae8bfd9794104bc4b7b4f481980e3a

SHA256
abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

SHA512
6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

Download Submit
C:\Users\Admin\cyhost.exe

Filesize
168KB

MD5
234bf3937f8fe09351acc53c059b40d2

SHA1
256f162b65eacc7a1fee35722fbfdbd55bba93c7

SHA256
86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

SHA512
6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

Download Submit
C:\Users\Admin\dyhost.exe

Filesize
24KB

MD5
9814ec05c8857737f599ba75b1610fb1

SHA1
aa9d9b016c2feda03cf6ad1bbca332070eb9b295

SHA256
a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

SHA512
c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

Download Submit
C:\Users\Admin\jaubev.exe

Filesize
332KB

MD5
e3484aafba465cc3261efb9ca8976bbe

SHA1
385471d8a326687a32f7e1cd661c27867685e6ac

SHA256
dd72bc503b4c7f362c1909e6bbe4da015b624f54a2c101068ed1bfd6d08eeed8

SHA512
0a0df68857f434af9bf58033ea9538142fc0d47e415bc242fd2ef7a70ce36ef34dfe4446a4d6cda37918cc1a2c7043b22a1cb1f4c5061b1d9e6bb18d282a644d

Download Submit
memory/2188-96-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3476-205-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3476-74-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3844-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3844-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3844-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4544-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4544-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5108-89-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5108-7-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5108-518-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5108-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5524-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5524-508-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5524-256-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5524-543-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download