blackshades | 9a9867db74c4f73b05f9846aa61d8216b50c280f71abc28bf05a7c4cf1df07ed

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe
Size

1.6MB
MD5

9910fa29b8f629fef294a96faacb9d3f
SHA1

39fef68135b3e264bbf5e772f77f3d597f68a1b4
SHA256

9a9867db74c4f73b05f9846aa61d8216b50c280f71abc28bf05a7c4cf1df07ed
SHA512

5e9c48961ab2f04ad8e8707d2806673500b01a2b9f4388372116afbc0c3f4dddb51e0bc949fb473e8ae7aebd5514417a9c042c99c83c60fce1ad5d0080f17861
SSDEEP

49152:kt586pw9pIf4QzpbdmpXm3Qx2RzevU9NQ85T/:giSr1z3cWAx2RzKgm85/

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 64 IoCs

resource	yara_rule
behavioral2/memory/1568-40-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1568-39-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5580-64-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5580-70-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1720-76-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1720-79-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1568-83-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5876-96-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1300-105-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4056-122-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5508-144-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5384-143-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5508-148-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4884-160-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1568-164-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4956-176-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3068-188-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/228-202-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1036-215-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4624-228-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/6052-241-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/928-253-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/896-267-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2176-284-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2384-296-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/844-308-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/844-311-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1388-323-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4936-337-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3032-349-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5676-366-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3844-378-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2880-393-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2880-390-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5156-403-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5156-406-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2328-420-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3900-432-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5192-447-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5180-459-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3228-471-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3228-468-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1984-482-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2172-500-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4488-497-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4488-491-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2172-506-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5888-531-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4484-533-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4484-527-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2728-545-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3400-555-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/4964-566-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1864-577-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/1004-601-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3188-603-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3188-598-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3872-615-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3872-612-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/5660-626-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/3728-645-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/656-648-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/976-662-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades
behavioral2/memory/2312-673-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\tmp1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	tmp1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	tmp1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFECFBC4-F6FD-6E1C-E920-DFDEAADD742B}	tmp1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFECFBC4-F6FD-6E1C-E920-DFDEAADD742B}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CFECFBC4-F6FD-6E1C-E920-DFDEAADD742B}	tmp1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CFECFBC4-F6FD-6E1C-E920-DFDEAADD742B}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	tmp1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe

Executes dropped EXE 64 IoCs

pid	Process
1392	tmp1.exe
3232	tmp2.exe
1568	tmp1.exe
2928	svchost.exe
4016	svchost.exe
5580	svchost.exe
1720	svchost.exe
2180	svchost.exe
1680	svchost.exe
5876	svchost.exe
1300	svchost.exe
1948	svchost.exe
3776	svchost.exe
5668	svchost.exe
1228	svchost.exe
4056	svchost.exe
5924	svchost.exe
5384	svchost.exe
5508	svchost.exe
1748	svchost.exe
4884	svchost.exe
4848	svchost.exe
3296	svchost.exe
4956	svchost.exe
3068	svchost.exe
5744	svchost.exe
228	svchost.exe
1392	svchost.exe
1036	svchost.exe
4624	svchost.exe
2336	svchost.exe
6052	svchost.exe
1512	svchost.exe
928	svchost.exe
1612	svchost.exe
3680	svchost.exe
896	svchost.exe
2176	svchost.exe
2384	svchost.exe
1928	svchost.exe
3236	svchost.exe
844	svchost.exe
1388	svchost.exe
3228	svchost.exe
2440	svchost.exe
4936	svchost.exe
3032	svchost.exe
564	svchost.exe
4480	svchost.exe
5676	svchost.exe
3844	svchost.exe
5132	svchost.exe
2116	svchost.exe
2880	svchost.exe
5156	svchost.exe
4616	svchost.exe
1512	svchost.exe
2328	svchost.exe
3900	svchost.exe
5328	svchost.exe
5912	svchost.exe
5192	svchost.exe
5180	svchost.exe
1228	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	tmp1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	tmp1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 1568	1392	tmp1.exe	93
PID 2928 set thread context of 5580	2928	svchost.exe	105
PID 4016 set thread context of 1720	4016	svchost.exe	106
PID 1680 set thread context of 5876	1680	svchost.exe	113
PID 2180 set thread context of 1300	2180	svchost.exe	114
PID 1948 set thread context of 4056	1948	svchost.exe	143
PID 3776 set thread context of 5384	3776	svchost.exe	145
PID 5668 set thread context of 5508	5668	svchost.exe	146
PID 1228 set thread context of 4884	1228	svchost.exe	151
PID 5924 set thread context of 4956	5924	svchost.exe	155
PID 1748 set thread context of 3068	1748	svchost.exe	156
PID 4848 set thread context of 228	4848	svchost.exe	162
PID 3296 set thread context of 1036	3296	svchost.exe	164
PID 5744 set thread context of 4624	5744	svchost.exe	169
PID 1392 set thread context of 6052	1392	svchost.exe	172
PID 2336 set thread context of 928	2336	svchost.exe	179
PID 1512 set thread context of 896	1512	svchost.exe	182
PID 1612 set thread context of 2176	1612	svchost.exe	183
PID 3680 set thread context of 2384	3680	svchost.exe	184
PID 1928 set thread context of 844	1928	svchost.exe	191
PID 3236 set thread context of 1388	3236	svchost.exe	192
PID 3228 set thread context of 4936	3228	svchost.exe	200
PID 2440 set thread context of 3032	2440	svchost.exe	201
PID 4480 set thread context of 5676	4480	svchost.exe	209
PID 564 set thread context of 3844	564	svchost.exe	210
PID 2116 set thread context of 2880	2116	svchost.exe	217
PID 5132 set thread context of 5156	5132	svchost.exe	218
PID 1512 set thread context of 2328	1512	svchost.exe	227
PID 4616 set thread context of 3900	4616	svchost.exe	228
PID 5328 set thread context of 5192	5328	svchost.exe	235
PID 5912 set thread context of 5180	5912	svchost.exe	236
PID 1228 set thread context of 3228	1228	svchost.exe	243
PID 4744 set thread context of 1984	4744	svchost.exe	244
PID 5060 set thread context of 4488	5060	svchost.exe	251
PID 4992 set thread context of 2172	4992	svchost.exe	252
PID 3960 set thread context of 5888	3960	svchost.exe	259
PID 2580 set thread context of 4484	2580	svchost.exe	260
PID 5412 set thread context of 2728	5412	svchost.exe	267
PID 6052 set thread context of 3400	6052	svchost.exe	268
PID 4812 set thread context of 4964	4812	svchost.exe	275
PID 5920 set thread context of 1864	5920	svchost.exe	276
PID 3324 set thread context of 1004	3324	svchost.exe	283
PID 1788 set thread context of 3188	1788	svchost.exe	284
PID 2700 set thread context of 3872	2700	svchost.exe	291
PID 4748 set thread context of 5660	4748	svchost.exe	292
PID 4044 set thread context of 3728	4044	svchost.exe	300
PID 2064 set thread context of 656	2064	svchost.exe	301
PID 2360 set thread context of 976	2360	svchost.exe	308
PID 4868 set thread context of 2312	4868	svchost.exe	309
PID 4344 set thread context of 3960	4344	svchost.exe	316
PID 228 set thread context of 4704	228	svchost.exe	317
PID 4500 set thread context of 2396	4500	svchost.exe	324
PID 868 set thread context of 4312	868	svchost.exe	325
PID 5420 set thread context of 4812	5420	svchost.exe	332
PID 1420 set thread context of 1496	1420	svchost.exe	333
PID 1652 set thread context of 2400	1652	svchost.exe	340
PID 4116 set thread context of 5984	4116	svchost.exe	341
PID 2744 set thread context of 4072	2744	svchost.exe	348
PID 896 set thread context of 3896	896	svchost.exe	349
PID 3432 set thread context of 3984	3432	svchost.exe	356
PID 3680 set thread context of 5520	3680	svchost.exe	357
PID 2840 set thread context of 1588	2840	svchost.exe	364
PID 4744 set thread context of 1980	4744	svchost.exe	365
PID 3724 set thread context of 4708	3724	svchost.exe	373

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024241-32.dat	upx
behavioral2/memory/3232-31-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/1568-34-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1568-38-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1568-40-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1568-39-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3232-51-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3232-55-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/5580-64-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5580-70-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1720-76-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1720-79-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1568-83-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5876-96-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1300-105-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4056-122-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5508-144-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5384-143-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5508-148-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4884-160-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1568-164-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4956-176-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3068-188-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/228-202-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1036-215-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4624-228-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/6052-241-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/928-253-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/896-267-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2176-284-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2384-296-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/844-308-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/844-311-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1388-323-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4936-337-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3032-349-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5676-366-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3844-378-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2880-393-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2880-390-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5156-403-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5156-406-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2328-420-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3900-432-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5192-447-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5180-459-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3228-471-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3228-468-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1984-482-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2172-500-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4488-497-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4488-491-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2172-506-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/5888-531-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4484-533-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4484-527-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/2728-545-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3400-555-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4964-566-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1864-577-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/1004-601-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3188-603-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3188-598-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3872-615-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5860	reg.exe
5196	reg.exe
1692	reg.exe
3432	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1568	tmp1.exe
Token: SeCreateTokenPrivilege	1568	tmp1.exe
Token: SeAssignPrimaryTokenPrivilege	1568	tmp1.exe
Token: SeLockMemoryPrivilege	1568	tmp1.exe
Token: SeIncreaseQuotaPrivilege	1568	tmp1.exe
Token: SeMachineAccountPrivilege	1568	tmp1.exe
Token: SeTcbPrivilege	1568	tmp1.exe
Token: SeSecurityPrivilege	1568	tmp1.exe
Token: SeTakeOwnershipPrivilege	1568	tmp1.exe
Token: SeLoadDriverPrivilege	1568	tmp1.exe
Token: SeSystemProfilePrivilege	1568	tmp1.exe
Token: SeSystemtimePrivilege	1568	tmp1.exe
Token: SeProfSingleProcessPrivilege	1568	tmp1.exe
Token: SeIncBasePriorityPrivilege	1568	tmp1.exe
Token: SeCreatePagefilePrivilege	1568	tmp1.exe
Token: SeCreatePermanentPrivilege	1568	tmp1.exe
Token: SeBackupPrivilege	1568	tmp1.exe
Token: SeRestorePrivilege	1568	tmp1.exe
Token: SeShutdownPrivilege	1568	tmp1.exe
Token: SeDebugPrivilege	1568	tmp1.exe
Token: SeAuditPrivilege	1568	tmp1.exe
Token: SeSystemEnvironmentPrivilege	1568	tmp1.exe
Token: SeChangeNotifyPrivilege	1568	tmp1.exe
Token: SeRemoteShutdownPrivilege	1568	tmp1.exe
Token: SeUndockPrivilege	1568	tmp1.exe
Token: SeSyncAgentPrivilege	1568	tmp1.exe
Token: SeEnableDelegationPrivilege	1568	tmp1.exe
Token: SeManageVolumePrivilege	1568	tmp1.exe
Token: SeImpersonatePrivilege	1568	tmp1.exe
Token: SeCreateGlobalPrivilege	1568	tmp1.exe
Token: 31	1568	tmp1.exe
Token: 32	1568	tmp1.exe
Token: 33	1568	tmp1.exe
Token: 34	1568	tmp1.exe
Token: 35	1568	tmp1.exe
Token: SeDebugPrivilege	1568	tmp1.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe
3232	tmp2.exe
3232	tmp2.exe
3232	tmp2.exe
1568	tmp1.exe
1568	tmp1.exe
5580	svchost.exe
5580	svchost.exe
1720	svchost.exe
1720	svchost.exe
5876	svchost.exe
5876	svchost.exe
1568	tmp1.exe
1300	svchost.exe
1300	svchost.exe
4056	svchost.exe
4056	svchost.exe
5384	svchost.exe
5384	svchost.exe
5508	svchost.exe
5508	svchost.exe
4884	svchost.exe
4884	svchost.exe
4956	svchost.exe
4956	svchost.exe
3068	svchost.exe
3068	svchost.exe
228	svchost.exe
228	svchost.exe
1036	svchost.exe
1036	svchost.exe
4624	svchost.exe
4624	svchost.exe
6052	svchost.exe
6052	svchost.exe
928	svchost.exe
928	svchost.exe
896	svchost.exe
896	svchost.exe
2176	svchost.exe
2176	svchost.exe
2384	svchost.exe
2384	svchost.exe
844	svchost.exe
844	svchost.exe
1388	svchost.exe
1388	svchost.exe
4936	svchost.exe
4936	svchost.exe
3032	svchost.exe
3032	svchost.exe
5676	svchost.exe
5676	svchost.exe
3844	svchost.exe
3844	svchost.exe
2880	svchost.exe
2880	svchost.exe
5156	svchost.exe
5156	svchost.exe
2328	svchost.exe
2328	svchost.exe
3900	svchost.exe
3900	svchost.exe
5192	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6056 wrote to memory of 1392	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	86
PID 6056 wrote to memory of 1392	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	86
PID 6056 wrote to memory of 1392	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	86
PID 6056 wrote to memory of 3232	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	87
PID 6056 wrote to memory of 3232	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	87
PID 6056 wrote to memory of 3232	6056	JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe	87
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 1392 wrote to memory of 1568	1392	tmp1.exe	93
PID 2868 wrote to memory of 4016	2868	cmd.exe	102
PID 840 wrote to memory of 2928	840	cmd.exe	101
PID 2868 wrote to memory of 4016	2868	cmd.exe	102
PID 2868 wrote to memory of 4016	2868	cmd.exe	102
PID 840 wrote to memory of 2928	840	cmd.exe	101
PID 840 wrote to memory of 2928	840	cmd.exe	101
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 2928 wrote to memory of 5580	2928	svchost.exe	105
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 4016 wrote to memory of 1720	4016	svchost.exe	106
PID 2448 wrote to memory of 2180	2448	cmd.exe	111
PID 2448 wrote to memory of 2180	2448	cmd.exe	111
PID 2448 wrote to memory of 2180	2448	cmd.exe	111
PID 5800 wrote to memory of 1680	5800	cmd.exe	112
PID 5800 wrote to memory of 1680	5800	cmd.exe	112
PID 5800 wrote to memory of 1680	5800	cmd.exe	112
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 1680 wrote to memory of 5876	1680	svchost.exe	113
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 2180 wrote to memory of 1300	2180	svchost.exe	114
PID 1568 wrote to memory of 2960	1568	tmp1.exe	115
PID 1568 wrote to memory of 2960	1568	tmp1.exe	115
PID 1568 wrote to memory of 2960	1568	tmp1.exe	115
PID 1568 wrote to memory of 3816	1568	tmp1.exe	116
PID 1568 wrote to memory of 3816	1568	tmp1.exe	116
PID 1568 wrote to memory of 3816	1568	tmp1.exe	116
PID 1568 wrote to memory of 2232	1568	tmp1.exe	117

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9910fa29b8f629fef294a96faacb9d3f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6056
- C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\tmp1.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      PID:2960
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\tmp1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\tmp1.exe:*:Enabled:Windows Messanger" /f
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\tmp1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\tmp1.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      PID:4456
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5860
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5800
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3776
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1948
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5668
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1748
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5924
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1852
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3296
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5676
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4848
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1392
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2100
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2336
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3680
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1208
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1612
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6000
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3236
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1928
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5288
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3168
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2440
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2904
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:564
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2116
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5132
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4240
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4680
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4616
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5328
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5912
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3592
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3028
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2580
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3960
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1708
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6052
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5412
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5080
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4812
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5920
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1788
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4172
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3324
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2700
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5492
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4748
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4016
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2064
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2360
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3208
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4868
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1256
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4344
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4500
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:564
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:868
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5420
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1352
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1420
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6008
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1652
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3440
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:896
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3432
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3680
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3396
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2840
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1472
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3724
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3296
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4480
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5352
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1780
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6136
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4528
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:1868
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:5576
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6044
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:5356
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5776
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:4940
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:4548
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
217KB

MD5
3bbd4585baaf29b976455cb2d27cea8c

SHA1
6de8c5727908c2a302851f46d8ce15b3d2559bf9

SHA256
9d27c98acae09233dd8c7b895501a561d1b07e8926ff224950dde021a0111e69

SHA512
068f3afa82422953b286f4327430ae45f3b5d8fec4c729186cf132bc9d06b904521163c9be97221bc3d2da7e505e7a3b83f58957c00742adae55e9bb37615199

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
1.3MB

MD5
a4a35c295f029ae2b5a8d5bb50e1f66d

SHA1
4d4afc22493230a2e7f2a2403681e4307f235ad9

SHA256
1d069f565744fd229e5f729616f5c952c0b10e88c8b90d0e0ad017deea91d6d8

SHA512
f55e0a3f2918f0465a2834af263f5b267b4626c70cac460de11e736ac60e74dd9e610364e2107572b72ef3c62162baecfe82b473dd7d8f0d2e20ba344f50bbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3.exe

Filesize
8B

MD5
9d8ac3bf6e084e550092d29e52c14ff1

SHA1
2c32eadcd9ebdfb6ac930b85dad07d949a6c2c2d

SHA256
bc0ae492ebb0a6ddf1a3a28488b2f3e43606c60e4fe7958188ecdf14acd7ca66

SHA512
f86a061e45c859622bdd32f2d62243e9e2fe4088059434468bd55bafab81279704add4d0239a1eb65667ed4aa0c19f5cbd004953eeb0cd39c5f2422e89750e8d

Download Submit
memory/228-202-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/232-911-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/656-648-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/844-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/844-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/896-267-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/928-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/976-662-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1004-601-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1036-215-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1300-105-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1388-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1496-744-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-40-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-83-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-164-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1568-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1588-835-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1720-79-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1720-76-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1864-577-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1944-938-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1980-838-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1980-833-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1984-482-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2172-506-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2172-500-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2176-284-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2312-673-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2328-420-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2384-296-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2396-711-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2396-709-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2400-753-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2400-762-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2728-545-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2880-393-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2880-390-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2884-958-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2884-961-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3032-349-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3068-188-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3188-598-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3188-603-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3228-471-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3228-468-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3232-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3232-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3232-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3400-555-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3728-645-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3844-378-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3872-612-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3872-615-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3896-790-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3900-432-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3960-692-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3984-811-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4056-122-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4072-792-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4312-722-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4344-889-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4344-883-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4484-527-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4484-533-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4488-497-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4488-491-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4568-886-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4568-882-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4624-228-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4704-695-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4708-865-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4708-860-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4812-734-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4884-160-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4936-337-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4956-176-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4964-566-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5080-924-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5080-928-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5156-406-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5156-403-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5180-459-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5192-447-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5372-858-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5372-863-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5384-143-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5508-144-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5508-148-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5520-812-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5520-815-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5580-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5580-64-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5660-626-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5676-366-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5820-899-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5876-96-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5888-531-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5904-949-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5984-767-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/6052-241-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads